ID: 20190 Comment by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Open Bug Type: Apache related Operating System: FreeBSD PHP Version: 4.3.0-dev New Comment:
This is a example: Correct: PG(open_basedir)=/www/doc/www.aaa.ch-80, Correct: zend_get_executed_filename() = /www/doc/www.aaa.ch-80/index.php, Wrong: path=/www/doc/www.bbb.imp.ch-80/html/visions/php//ueberuns/mannschaft.php There is no "/www/doc/www.bbb.imp.ch-80/html/visions/php" exists, but this is a different customer. The correct filename would be: "/www/doc/www.aaa.ch-80/ueberuns/mannschaft.php" Also note the two "//" slashes ... Previous Comments: ------------------------------------------------------------------------ [2002-10-31 16:15:42] [EMAIL PROTECTED] Ok, I think I'm a bit smarter now. zend_get_executed_filename() can only be used if zend_is_executing(TSRMLS_C) is true. That explains the uninitialisized values there. If I do a check for this, the errors go away and the segfaults are gone. Buth $path can still point to a wrong virtual server. That happens in 1/500 requests, and the thing is random. I try to solve this now. Martin ------------------------------------------------------------------------ [2002-10-31 15:47:14] [EMAIL PROTECTED] Hi, >should be critical, and now you say it's fixed. >So what's the real thing here? It seems that we hit two different bugs. I've seen that bug 19292 was fixed for the part when a safe_mode include dir was involved. But here the problem is more complex. Some global php variables seem to be corrupted, or not properly initialised. I'm still in gdb and try to find out why. Martin ------------------------------------------------------------------------ [2002-10-31 11:57:24] [EMAIL PROTECTED] If you try a snapshot, put the version correctly here. Also, you added comment to http://bugs.php.net/bug.php?id=19292 that it should be critical, and now you say it's fixed. So what's the real thing here? ------------------------------------------------------------------------ [2002-10-31 11:27:10] [EMAIL PROTECTED] Previous dump was not the right one, sorry. I had dumps for children disabled. This is now the right one ... (gdb) bt #0 0x280de8e1 in strlen () from /usr/lib/libc.so.4 #1 0x17 in ?? () #2 0x2836decb in php_check_open_basedir (path=0x8c79c98 "/www/doc/www.skkonline.ch-80/top/scripts2/schools.php") at fopen_wrappers.c:211 #3 0x2836e19f in php_fopen_and_set_opened_path ( path=0x8c79c98 "/www/doc/www.skkonline.ch-80/top/scripts2/schools.php", mode=0x284e1ac3 "rb", opened_path=0xbfbff8d8) at fopen_wrappers.c:309 #4 0x2836e89d in php_fopen_with_path (filename=0x8c79c98 "/www/doc/www.skkonline.ch-80/top/scripts2/schools.php", mode=0x284e1ac3 "rb", path=0x81ebb50 ".", opened_path=0xbfbff8d8) at fopen_wrappers.c:494 #5 0x2836edc0 in php_fopen_url_wrapper (path=0x8c79c98 "/www/doc/www.skkonline.ch-80/top/scripts2/schools.php", mode=0x284e1ac3 "rb", options=1, issock=0xbfbfe6f0, socketd=0xbfbfe6ec, opened_path=0xbfbff8d8) at fopen_wrappers.c:612 #6 0x2836e26d in php_fopen_wrapper (path=0x8c79c98 "/www/doc/www.skkonline.ch-80/top/scripts2/schools.php", mode=0x284e1ac3 "rb", options=1, issock=0xbfbfe6f0, socketd=0xbfbfe6ec, opened_path=0xbfbff8d8) at fopen_wrappers.c:335 #7 0x2836b38c in php_fopen_wrapper_for_zend ( filename=0x8c79c98 "/www/doc/www.skkonline.ch-80/top/scripts2/schools.php", opened_path=0xbfbff8d8) at main.c:583 #8 0x28336463 in open_file_for_scanning (file_handle=0xbfbff8d0) at zend_language_scanner.c:2952 #9 0x28336611 in compile_file (file_handle=0xbfbff8d0, type=2) at zend_language_scanner.c:3009 #10 0x2835bb4f in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:823 #11 0x2836d0b9 in php_execute_script (primary_file=0xbfbff8d0) at main.c:1399 #12 0x28367d82 in apache_php_module_main (r=0x8c78038, display_source_mode=0) at sapi_apache.c:98 #13 0x28368c2c in send_php (r=0x8c78038, display_source_mode=0, filename=0x8c79c98 "/www/doc/www.skkonline.ch-80/top/scripts2/schools.php") at mod_php4.c:684 #14 0x28368c9f in send_parsed_php (r=0x8c78038) at mod_php4.c:703 (gdb) list 206 char *newpath; 207 char *ptr; 208 char *end; 209 210 pathbuf = estrdup(PG(open_basedir)); 211 newpath = estrdup(zend_get_executed_filename(TSRMLS_C)); 212 213 ptr = pathbuf; 214 while (ptr && *ptr) { 215 end = strchr(ptr, DEFAULT_DIR_SEPARATOR); ------------------------------------------------------------------------ [2002-10-31 10:40:02] [EMAIL PROTECTED] If I allow the open_basedir restriction to pass, I get now random segfaults : Program terminated with signal 11, Segmentation fault. #0 0x2835d21e in _object_and_properties_init (arg=0xbfbffccc, class_type=0x0, properties=0xbfbffce2) at zend_API.c:584 584 ALLOC_HASHTABLE_REL(arg->value.obj.properties); (gdb) bt #0 0x2835d21e in _object_and_properties_init (arg=0xbfbffccc, class_type=0x0, properties=0xbfbffce2) at zend_API.c:584 (gdb) list 579 } 580 581 if (properties) { 582 arg->value.obj.properties = properties; 583 } else { 584 ALLOC_HASHTABLE_REL(arg->value.obj.properties); 585 zend_hash_init(arg->value.obj.properties, 0, NULL, ZVAL_PTR_DTOR, 0); 586 zend_hash_copy(arg->value.obj.properties, &class_type->default_properties, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *)); 587 } 588 arg->type = IS_OBJECT; (gdb) p arg->value.obj.properties $1 = (HashTable *) 0x636f6c2f (gdb) p *arg->value.obj.properties Cannot access memory at address 0x636f6c2f. (gdb) p properties $2 = (HashTable *) 0xbfbffce2 (gdb) p *properties $3 = {nTableSize = 1212367181, nTableMask = 1162893652, nNumOfElements = 942893373, nNextFreeElement = 1714236726, pInternalPointer = 0x62656572, pListHead = 0x2e346473, pListTail = 0x53550033, arBuckets = 0x743d5245, pDestructor = 0x726f6f, persistent = 77 'M', nApplyCount = 65 'A', bApplyProtection = 73 'I'} (gdb) p *arg $4 = {value = {lval = 1920169263, dval = 9.4870166287391071e+170, str = {val = 0x7273752f <Address 0x7273752f out of bounds>, len = 1668246575}, ht = 0x7273752f, obj = {ce = 0x7273752f, properties = 0x636f6c2f}}, type = 97 'a', is_ref = 108 'l', refcount = 29487} ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/20190 -- Edit this bug report at http://bugs.php.net/?id=20190&edit=1
