#26974 [Opn->Asn]: rename() doesn't check newname permissions in safe_mode

Tue, 20 Jan 2004 17:34:02 -0800 

 ID:               26974
 Updated by:       [EMAIL PROTECTED]
 Reported By:      daveb at esat dot net
-Status:           Open
+Status:           Assigned
 Bug Type:         Filesystem function related
 Operating System: Linux
 PHP Version:      4.3.4
-Assigned To:      
+Assigned To:      iliaa


Previous Comments:
------------------------------------------------------------------------

[2004-01-20 06:37:26] daveb at esat dot net

Description:
------------
When running under apache2 with a perchild MPM & safe_mode turned on,
it is possible to rename a file owned by a user into a directory that
the user does not own but has write permissions too. This works, even
when safe_mode is turned on.

A simple example is ...

[EMAIL PROTECTED]:$ touch moo
[EMAIL PROTECTED]:$ ls -la moo
-rw-r--r--    1 daveb    noc             0 Jan 20 11:31 moo


The php script is simply...

rename ("./moo", "/tmp/crap");


Once called, the file moves to /tmp, even though the directory is owned
by root.

[EMAIL PROTECTED]:$ ls -la /tmp/crap
-rw-r--r--    1 daveb    noc             0 Jan 20 11:31 crap



It would appear that in ext/standard/file., in the rename() function,
no checking is done on new_name to see if the user has the correct UID
to write into that destination directory.

Changing line 1890 to the following ...

if (PG(safe_mode) && (!php_checkuid(old_name, NULL,
CHECKUID_CHECK_FILE_AND_DIR) || !php_checkuid(new_name, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {

adds checking for the destination as well and prevents users writing
into directories, where although they have permission to write into,
they do not own that directory and should not be writing too.

When running with that extra check, php now logs...

[client ::1] PHP Warning:  rename(): SAFE MODE Restriction in effect. 
The script whose uid is 677 is not allowed to access /tmp owned by uid
0 in /usr/local/apache/iweb/rename.php on line 3


According to
http://ie2.php.net/manual/en/features.safe-mode.functions.php,
rename() should "...Checks whether the directory in which you are about
to operate has the same UID (owner) as the script that is being
executed."...

Is the documentation out of sync with the code ? Or the other way
around ?








------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=26974&edit=1

Reply via email to