Edit report at https://bugs.php.net/bug.php?id=52624&edit=1
ID: 52624 Updated by: fel...@php.net Reported by: hirad dot navid at t-systems dot at -Summary: tempnam() in SAFE Mode +Summary: tempnam() by-pass open_basedir with inexistent directory -Status: Open +Status: Closed Type: Bug Package: Unknown/Other Function Operating System: RHEL 5 PHP Version: 5.2.14 -Assigned To: +Assigned To: felipe Block user comment: N Private report: N New Comment: This bug has been fixed in SVN. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. For Windows: http://windows.php.net/snapshots/ Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2011-11-15 16:59:49] fel...@php.net Automatic comment from SVN on behalf of felipe Revision: http://svn.php.net/viewvc/?view=revision&revision=319255 Log: - Fixed bug #52624 (tempnam() by-pass open_basedir with inexistent directory) ------------------------------------------------------------------------ [2011-05-10 15:19:33] alexis dot olivier at unicaen dot fr Hello everybody, We got the same case with open_basedir restriction. The users have no access to /tmp (they have their own tmp dir). When calling tempnam('/tmp', 'tempname'), The open_basedir restriction takes effect and creation of the file is forbidden. But, when calling tempnam('path_that_doesnt_exist', 'tempname'), the function takes /tmp in fallback and file is created (overriding the open_basedir restriction). The file can't be written (open_basedir restriction), but this bug can be used to overflow tmp directory. I think it lacks a test in the function to protect from writing out of open_basedir restriction. Test script: ------------ With open_basedir not including /tmp : <?php // This gives a warning echo tempnam("/tmp", "prefix_"); // This creates a file in /tmp echo tempnam("directory_that_not_exists", "prefix_"); ?> ------------------------------------------------------------------------ [2010-08-17 14:39:52] hirad dot navid at t-systems dot at Description: ------------ Dear php Team, We are using php 5.2.13 and Safe_mod is ON. we have a problem using tempnam, at first we had tempnam('',tempfile); This did not work - error "can not access /tmp Later I investigated and have written the testscript and have following behavior. Attention script must be owned by non root user the script with 7th line $tmp_name = tempnam ( 'tmp', 'tempname' ); works fine also with safe_mode when i change it to $tmp_name = tempnam ( '/tmp', 'tempname' ); a safe_mode restriction takes effect (the one with compares UID/GID and puts out Warning: tempnam() [function.tempnam]: SAFE MODE Restriction in effect. The script whose uid/gid is 506/506 is not allowed to access /tmp owned by uid/gid 0/0 in /home/httpd/html/default/tempfile.php on line 7 but why does it work without the beginning '/'? Can you clarify this behavior please? and another issuse is that when i try with $tmp_name = tempnam ( '/tmp', 'tempname' ); it does not make a diference putting /tmp to openbasedir or safe_mode_includedir it dies not work. I have also read the changelog and have found that since PHP 5.2.12 some issues with tempname and safe_mode have been fixed - there was a bug that tempnam ignores safe_mode. And this correct because i tested with php 5.2.11 and it worked with /tmp also. Can you tell me ehat exactly is changed saince version 5.2.12? Test script: --------------- <?PHP $xx = sys_get_temp_dir(); echo $xx . '<br>'; for ( $x = 0; $x <= 5; $x++ ) { $tmp_name = tempnam ( 'tmp', 'tempname' ); echo $tmp_name . '<br>'; } $str = 'standing in a tempfile'; $tmp_file = fopen ( $tmp_name, 'w' ); fputs ( $tmp_file, $str ); fclose ( $tmp_file ); $fp = fopen ( $tmp_name, 'r' ); $str = fgets ( $fp, 50 ); fclose ( $fp ); echo $str; ?> Expected result: ---------------- script above works fine also in safe mode change 7th line from $tmp_name = tempnam ( 'tmp', 'tempname' ); to $tmp_name = tempnam ( '/tmp', 'tempname' ); bringe a safe_mode restriction which is also ok, but why does it work without / and why does it not make a diference putting /tmp to openbasedir or safe_mode_include_dir ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=52624&edit=1