From: moron at industrial dot org
Operating system: FreeBSD (likely all)
PHP version: 4.4.1RC1
PHP Bug Type: Safe Mode/open_basedir
Bug description: problematic safe_mode restriction in GD library
Description:
------------
A new safe_mode check has been added to PHP's GD library functions that
affects image creation functions. The changed line is here:
ext/gd/gd.c:1647: if (!fn || fn == empty_string ||
php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) &&
!php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
As of 4.4.1 the following is new:
(PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))
Since this change GD is not able to create new images, presumably due to
the above permissions check failing.
The problem with this code (if I am guessing what "php_checkuid" does
correctly) is that it seems to make an invalid assumption as to how
ownership works under Unix operating systems. Unless you run PHP as a CGI
(running as the script owner), created files will always be owned by the
generic web user ("www", "nobody", etc.). This means that the above check
will fail since the ownership of the created file will not match that of
the parent script.
What should be checked here is the group ownership and file level
permissions since the owner will always be the web user (especially if the
directory structure has been created on the fly).
As it stands, if you run under safe_mode and with PHP as a module under a
Unix type system, you will always fail the safe_mode check and be unable
to create images with the GD libraries.
Other file system functions appear to be unaffected (i.e.
move_uploaded_file, copy, mkdir, etc.).
Cheers
Reproduce code:
---------------
<?php
// safe_mode is enabled
$img_out=imagecreatetruecolor(200,200);
imagejpeg($img_out,'files/thingy/test.jpg',100);
imagedestroy($img_out);
?>
Expected result:
----------------
new image created "files/thingy/test.jpg"
Actual result:
--------------
Warning: imagejpeg(): Unable to access files/thingy/test.jpg in
/home/moron/www/test.php on line 3
Warning: imagejpeg(): Invalid filename 'files/thingy/test.jpg' in
/home/moron/www/test.php on line 3
Here are the permissions in that directory:
drwxr-xrwx 15 nobody 12345 512 Sep 10 2004 files/thingy/
Here are the permissions on the script:
-rw-r--r-- 1 33300 12345 122 Nov 1 13:03 test.php
--
Edit bug report at http://bugs.php.net/?id=35060&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=35060&r=trysnapshot4
Try a CVS snapshot (php5.0):
http://bugs.php.net/fix.php?id=35060&r=trysnapshot50
Try a CVS snapshot (php5.1):
http://bugs.php.net/fix.php?id=35060&r=trysnapshot51
Fixed in CVS: http://bugs.php.net/fix.php?id=35060&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=35060&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=35060&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=35060&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=35060&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=35060&r=support
Expected behavior: http://bugs.php.net/fix.php?id=35060&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=35060&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=35060&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=35060&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=35060&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=35060&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=35060&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=35060&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=35060&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=35060&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=35060&r=mysqlcfg
