#33690 [NEW]: Setting save_path in httpd.conf under safemode gives SEGV

david at madole dot net Wed, 13 Jul 2005 19:21:12 -0700

From:             david at madole dot net
Operating system: FreeBSD 5.4
PHP version:      4CVS-2005-07-14 (stable)
PHP Bug Type:     Safe Mode/open_basedir
Bug description:  Setting save_path in httpd.conf under safemode gives SEGV


Description:
------------
./configure \
  --prefix=/usr/local/opt/php4-STABLE-200507140043 \
  --with-apxs2=/usr/local/opt/httpd-2.0.54/bin/apxs \
  --with-config-file-path=/etc \
  --enable-debug

diff php.ini-dist /etc/php.ini
158c158
< safe_mode = Off
---
> safe_mode = On

<Directory /home/user/www>
  PHP_Admin_Value open_basedir /home/user/
  PHP_Admin_Value session.save_path /home/user/tmp/
</Directory>

On serving any page from /home/user/www, even plain HTML files not parsed
by PHP, a SEGV is encountered in the Apache child process.

The error occurs in sapi/apache2handler/sapi_apache2.c line 173, where ctx
is dereferenced while containing NULL (see very end of backtract below):

        ctx->finfo.st_uid = ctx->r->finfo.user;

Removing the newly introduced OnUpdateSaveDir check in
ext/session/session.c eliminates the problem.


Reproduce code:
---------------
<html><body>Test</body></html>


Expected result:
----------------
Display "Test" in browser.

Actual result:
--------------
#0  0x2851ba51 in php_apache_sapi_get_stat ()
    at
/usr/local/src/php4-STABLE-200507140043/sapi/apache2handler/sapi_apache2.c:173
#1  0x284d9122 in sapi_get_stat ()
    at /usr/local/src/php4-STABLE-200507140043/main/SAPI.c:848
#2  0x28487317 in php_statpage ()
    at /usr/local/src/php4-STABLE-200507140043/ext/standard/pageinfo.c:73
#3  0x28487383 in php_getuid ()
    at /usr/local/src/php4-STABLE-200507140043/ext/standard/pageinfo.c:99
#4  0x284d5b99 in php_checkuid_ex (
    filename=0xbfbfdff0 "/home/madole.net/tmp/", fopen_mode=0x0, mode=3,
    flags=0) at
/usr/local/src/php4-STABLE-200507140043/main/safe_mode.c:150
#5  0x284d5cda in php_checkuid (filename=0x81dc6a4
"/home/madole.net/tmp/",
    fopen_mode=0x0, mode=3)
    at /usr/local/src/php4-STABLE-200507140043/main/safe_mode.c:191
#6  0x28443c64 in OnUpdateSaveDir (entry=0x81cbf00,
    new_value=0x81dc6a4 "/home/madole.net/tmp/", new_value_length=21,
    mh_arg1=0x0, mh_arg2=0x28577900, mh_arg3=0x0, stage=16)
    at /usr/local/src/php4-STABLE-200507140043/ext/session/session.c:123
#7  0x285101be in zend_alter_ini_entry (name=0x81106a0
"session.save_path",
    name_length=18, new_value=0x8123698 "/home/madole.net/tmp/",
    new_value_length=21, modify_type=4, stage=16)
    at /usr/local/src/php4-STABLE-200507140043/Zend/zend_ini.c:232
#8  0x2851cc48 in apply_config (dummy=0x8123598)
    at
/usr/local/src/php4-STABLE-200507140043/sapi/apache2handler/apache_config.c:167
#9  0x2851c207 in php_handler (r=0x81f2050)
    at
/usr/local/src/php4-STABLE-200507140043/sapi/apache2handler/sapi_apache2.c:457
#10 0x0807a45a in ap_run_handler (r=0x81f2050) at config.c:152
#11 0x0807a825 in ap_invoke_handler (r=0x81f2050) at config.c:364
#12 0x08069a35 in ap_process_request (r=0x81f2050) at http_request.c:249
#13 0x08065411 in ap_process_http_connection (c=0x81ec128) at
http_core.c:251
#14 0x08083c72 in ap_run_process_connection (c=0x81ec128) at
connection.c:43
#15 0x08078c71 in child_main (child_num_arg=0) at prefork.c:610
#16 0x08078e65 in make_child (s=0x80b9760, slot=0) at prefork.c:650
#17 0x08078f2c in startup_children (number_to_start=5) at prefork.c:722
#18 0x080795af in ap_mpm_run (_pconf=0xbfbfec40, plog=0x80ed018,
s=0xbfbfec48)
    at prefork.c:941
#19 0x0807e74b in main (argc=6, argv=0xbfbfed38) at main.c:618
(gdb) print ctx
$1 = (php_struct *) 0x0


-- 
Edit bug report at http://bugs.php.net/?id=33690&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=33690&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=33690&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=33690&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=33690&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=33690&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=33690&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=33690&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=33690&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=33690&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=33690&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=33690&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=33690&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=33690&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=33690&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=33690&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=33690&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=33690&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=33690&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=33690&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=33690&r=mysqlcfg

#33690 [NEW]: Setting save_path in httpd.conf under safemode gives SEGV

Reply via email to