ID: 46888 Comment by: fuxa_kos at unihost dot cz Reported By: php at degoulet dot net Status: Open Bug Type: Safe Mode/open_basedir Operating System: Fedora Core PHP Version: 5.2.8 New Comment:
problem still in 5.2.9 Previous Comments: ------------------------------------------------------------------------ [2008-12-17 15:22:50] php at degoulet dot net thanks : this workaround works fine ! ------------------------------------------------------------------------ [2008-12-17 14:58:32] christian at elmerot dot se The following patch restores part of behaviour from 5.2.6 yet has an extra check to see if the URL contains "../" which is where the removal came from. It is not a 100% correct "fix" in that it still allows for unknown URL vectors to bypass safe_mode, however, it is less broken this way for us. Perhaps the patch will help someone else. Remember, this is a safe_mode bypass issue that was fixed and the underlying cause (URLs: http: mapping to a local file incorrectly) looks to me unfixed. To me it looks as if safe_mode fails in this case but it also do no "extra" harm that won't be allowed with safe_mode disabled. Have I missed something? diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c --- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.000000000 +0200 +++ php-5.2.8_1/main/safe_mode.c 2008-12-17 15:01:07.502862702 +0100 @@ -52,6 +52,7 @@ long uid=0L, gid=0L, duid=0L, dgid=0L; char path[MAXPATHLEN]; char *s, filenamecopy[MAXPATHLEN]; + php_stream_wrapper *wrapper = NULL; TSRMLS_FETCH(); path[0] = '\0'; @@ -72,6 +73,15 @@ mode = CHECKUID_CHECK_FILE_AND_DIR; } } + + /* + * If given filepath is a URL, allow - safe mode stuff + * related to URL's is checked in individual functions + * Possibly/likely allows for safe_mode bypass!!! + */ + wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC); + if ((wrapper != NULL) && (strstr(filename, "..\/") == NULL)) + return 1; /* First we see if the file is owned by the same user... * If that fails, passthrough and check directory... ------------------------------------------------------------------------ [2008-12-17 14:44:14] php at degoulet dot net error msg : Warning: copy(): Unable to access http://www.xxxxx.com/testcopy/nok.jpg in /............/test.php ------------------------------------------------------------------------ [2008-12-17 14:17:58] php at degoulet dot net Description: ------------ copy() does not use the allow_url_fopen status ? Reproduce code: --------------- <?php // Fonction copie distante ne fonctionnant plus copy("http://www.xxxxxx.com/testcopy/nok.jpg", "nok_copy.jpg"); ?> Expected result: ---------------- works fine in php 5.2.6 : with allow_url_fopen = On & safe_mode = On doesn't work with the same config php 5.2.8 now, it works only if safe_mode off ? ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=46888&edit=1