Edit report at http://bugs.php.net/bug.php?id=52312&edit=1
ID: 52312 Updated by: paj...@php.net Reported by: v dot damore at gmail dot com Summary: PHP lstat problem -Status: Feedback +Status: Analyzed Type: Bug Package: Safe Mode/open_basedir Operating System: Linux PHP Version: 5.2.13 New Comment: The reason was due to a security flaw involving symbolic links and realpath cache. It allowed to bypass open_basedir when a path was cached. The cleanest way to fix it was to disable the realpath cache when open_basedir/safemode are set. Thanks Johannes to remind us about this change. Previous Comments: ------------------------------------------------------------------------ [2010-07-13 11:01:23] v dot damore at gmail dot com Looking at source code main/main.c of 5.2.13 I can see: 1292: /* Disable realpath cache if safe_mode or open_basedir are set */ if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) { CWDG(realpath_cache_size_limit) = 0; } 1769: /* Disable realpath cache if safe_mode or open_basedir are set */ if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) { CWDG(realpath_cache_size_limit) = 0; } So realpath cache is definitely disabled in case of safe_mode or open_basedir. This dramatically reduce performance of PHP Engine and this behavior can bring a server to its knees. Especially because there is a lack of documentation! Can you explain why this choose? Must I continue debugging PHP engine in order to understand what's happening? ------------------------------------------------------------------------ [2010-07-13 01:52:37] v dot damore at gmail dot com I found where the problem is, this behavior is not a bug. Looking at main/main.c I found following lines: 1416: /* Disable realpath cache if safe_mode or open_basedir are set */ if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) { CWDG(realpath_cache_size_limit) = 0; } 1978: /* Disable realpath cache if safe_mode or open_basedir are set */ if (PG(safe_mode) || (PG(open_basedir) && *PG(open_basedir))) { CWDG(realpath_cache_size_limit) = 0; } Could you explain why if safe_mode or open_basedir are set realpath cache is disabled? ------------------------------------------------------------------------ [2010-07-13 01:38:26] v dot damore at gmail dot com There is a interesting update, I have found CWDG define so now we have: (gdb) print cwd_globals.realpath_cache_size_limit $3 = 0 Probably you should check why realpath_cache_size_limit is equal to 0 ------------------------------------------------------------------------ [2010-07-13 01:30:24] v dot damore at gmail dot com After having set breakpoint tsrm_realpath_r and I have execute step by step debug. I think is interesting that after execution tsrm_virtual_cwd.c of line 681 execution continue on line 890. gdb) break tsrm_realpath_r Breakpoint 1 at 0x2b0b3c9f2702: file /usr/local/sitipersonali/sitipersonali01/NSP_SERVICE/strillo/sources/php-5.3.2/TSRM/tsrm_virtual_cwd.c, line 611. (gdb) continue Continuing. Breakpoint 1, tsrm_realpath_r (path=0x7fffddfb32b0 "/usr/local/myspace/webspace/httpdocs/test.php", start=1, len=45, ll=0x7fffddfb32ac, t=0x7fffddfb32a0, use_realpath=2, is_dir=0, link_is_dir=0x0) at /usr/local/sitipersonali/sitipersonali01/NSP_SERVICE/strillo/sources/php-5.3.2/TSRM/tsrm_virtual_cwd.c:611 611 int directory = 0; (gdb) step 624 if (len <= start) { (gdb) step 628 i = len; (gdb) step 629 while (i > start && !IS_SLASH(path[i-1])) { (gdb) step 630 i--; (gdb) step 629 while (i > start && !IS_SLASH(path[i-1])) { (gdb) step 630 i--; (gdb) step 629 while (i > start && !IS_SLASH(path[i-1])) { (gdb) step 630 i--; (gdb) step 629 while (i > start && !IS_SLASH(path[i-1])) { (gdb) step 630 i--; (gdb) step 629 while (i > start && !IS_SLASH(path[i-1])) { (gdb) step 630 i--; (gdb) step 629 while (i > start && !IS_SLASH(path[i-1])) { (gdb) step 630 i--; (gdb) step 629 while (i > start && !IS_SLASH(path[i-1])) { (gdb) step 630 i--; (gdb) step 629 while (i > start && !IS_SLASH(path[i-1])) { (gdb) step 630 i--; (gdb) step 629 while (i > start && !IS_SLASH(path[i-1])) { (gdb) step 633 if (i == len || (gdb) step 639 } else if (i == len - 2 && path[i] == '.' && path[i+1] == '.') { (gdb) step 677 path[len] = 0; (gdb) step 679 save = (use_realpath != CWD_EXPAND); (gdb) step 681 if (start && save && CWDG(realpath_cache_size_limit)) { (gdb) watch save Hardware watchpoint 2: save (gdb) print save $1 = 1 (gdb) print start $2 = 1 (gdb) print realpath_cache_size_limit No symbol "realpath_cache_size_limit" in current context. (gdb) step 890 if (save && lstat(path, &st) < 0) { (gdb) ------------------------------------------------------------------------ [2010-07-13 00:59:44] ras...@php.net Set a bp and step through tsrm_realpath_r and figure out why it isn't getting to the realptath_cache_find() call there. Seems like it should be getting there from the backtraces. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=52312 -- Edit this bug report at http://bugs.php.net/bug.php?id=52312&edit=1