ID: 46888
Comment by: fuxa_kos at unihost dot cz
Reported By: php at degoulet dot net
Status: Open
Bug Type: Safe Mode/open_basedir
Operating System: Fedora Core
PHP Version: 5.2.8
New Comment:
problem still in 5.2.9
Previous Comments:
------------------------------------------------------------------------
[2008-12-17 15:22:50] php at degoulet dot net
thanks : this workaround works fine !
------------------------------------------------------------------------
[2008-12-17 14:58:32] christian at elmerot dot se
The following patch restores part of behaviour from 5.2.6 yet has an
extra check to see if the URL contains "../" which is where the removal
came from. It is not a 100% correct "fix" in that it still allows for
unknown URL vectors to bypass safe_mode, however, it is less broken this
way for us. Perhaps the patch will help someone else.
Remember, this is a safe_mode bypass issue that was fixed and the
underlying cause (URLs: http: mapping to a local file incorrectly) looks
to me unfixed. To me it looks as if safe_mode fails in this case but it
also do no "extra" harm that won't be allowed with safe_mode disabled.
Have I missed something?
diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c
--- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.000000000 +0200
+++ php-5.2.8_1/main/safe_mode.c 2008-12-17 15:01:07.502862702 +0100
@@ -52,6 +52,7 @@
long uid=0L, gid=0L, duid=0L, dgid=0L;
char path[MAXPATHLEN];
char *s, filenamecopy[MAXPATHLEN];
+ php_stream_wrapper *wrapper = NULL;
TSRMLS_FETCH();
path[0] = '\0';
@@ -72,6 +73,15 @@
mode = CHECKUID_CHECK_FILE_AND_DIR;
}
}
+
+ /*
+ * If given filepath is a URL, allow - safe mode stuff
+ * related to URL's is checked in individual functions
+ * Possibly/likely allows for safe_mode bypass!!!
+ */
+ wrapper = php_stream_locate_url_wrapper(filename, NULL,
STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC);
+ if ((wrapper != NULL) && (strstr(filename, "..\/") == NULL))
+ return 1;
/* First we see if the file is owned by the same user...
* If that fails, passthrough and check directory...
------------------------------------------------------------------------
[2008-12-17 14:44:14] php at degoulet dot net
error msg :
Warning: copy(): Unable to access http://www.xxxxx.com/testcopy/nok.jpg
in /............/test.php
------------------------------------------------------------------------
[2008-12-17 14:17:58] php at degoulet dot net
Description:
------------
copy() does not use the allow_url_fopen status ?
Reproduce code:
---------------
<?php
// Fonction copie distante ne fonctionnant plus
copy("http://www.xxxxxx.com/testcopy/nok.jpg";, "nok_copy.jpg");
?>
Expected result:
----------------
works fine in php 5.2.6 : with allow_url_fopen = On & safe_mode = On
doesn't work with the same config php 5.2.8
now, it works only if safe_mode off ?
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=46888&edit=1
![http://www.xxxxxx.com/testcopy/nok.jpg"](http://www.xxxxxx.com/testcopy/nok.jpg"){kind=link}