ID: 34793 User updated by: glen at delfi dot ee Reported By: glen at delfi dot ee Status: Open Bug Type: Feature/Change Request Operating System: PLD Linux PHP Version: 5.1.0RC1 New Comment:
to put this into another light. how should i run php cli program, with *not* reading ./php.ini? a real live situation: i have a PHP program defined as CVS loginfo handler. CVS server accessed via ssh. now if i happen to commit php.ini in such CVS setup, the php.ini is first uploaded to cvs server and then a PHP program is executed in that directory (where commited files were uploaded). as the php.ini is not for the OS where the PHP program is ran. i get fatal error from PHP interpreter and no code is executed: # cvs ci -m '- disable zend, broken' php.ini Checking in php.ini; /usr/local/cvs/sw/apache/php.ini,v <-- php.ini new revision: 1.7; previous revision: 1.6 done PHP Warning: PHP Startup: Unable to load dynamic library './pcre.so' - ./pcre.so: cannot open shared object file: No such file or directory in Unknown on line 0 PHP Warning: Unknown: failed to open stream: No such file or directory in Unknown on line 0 PHP Warning: Unknown: Failed opening '/www/vars.inc' for inclusion (include_path='.:/usr/share/pear') in Unknown on line 0 Previous Comments: ------------------------------------------------------------------------ [2005-10-10 00:06:59] adamg at agmk dot net I believe this behaviour is wrong and PHP should be fixed not to look for php.ini in the current directory for the reasons described by glen. Ideally (as I see it) is a fixed location in /etc and (optionally) in home dir of user running the script. Why do you think this bug report is bogus? What are the reasons for keeping such behaviour? ------------------------------------------------------------------------ [2005-10-10 00:05:36] glen at delfi dot ee in fact i know that documentation says so. but that doesn't mean it supposed to be like this? can't you at least consider securing it, by adding some option to enable/disable this? so i changed category to feature request! ------------------------------------------------------------------------ [2005-10-09 19:14:38] [EMAIL PROTECTED] Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php ------------------------------------------------------------------------ [2005-10-09 18:13:31] glen at delfi dot ee Description: ------------ php cli searches for php.ini from current dir, and when current directory appears to be world writable directory, then malicious user can put there php.ini loading malicious extension. php cli is used for example to install PEAR packages, and for PEAR install to succeed it needs to be run as root. Reproduce code: --------------- 1. create /tmp/php.ini containing [PHP] extension=/../../../tmp/malicious.so 2. create php extension and save it to /tmp/malicious.so 3. wait for root run any php-cli program in /tmp 4. your code in malicious.so gets executed. Expected result: ---------------- php should not read php.ini from arbitary locations, it should read it only from hardcoded paths, or one specified from commandline. Actual result: -------------- $ strace -eopen php -m open("/etc/ld.so.cache", O_RDONLY) = 6 open("/usr/lib/libphp_common-5.1.0RC1.so", O_RDONLY) = 6 open("/lib/libcrypt.so.1", O_RDONLY) = 6 open("/lib/libm.so.6", O_RDONLY) = 6 open("/lib/libz.so.1", O_RDONLY) = 6 open("/lib/libresolv.so.2", O_RDONLY) = 6 open("/lib/libpthread.so.0", O_RDONLY) = 6 open("/usr/lib/libxml2.so.2", O_RDONLY) = 6 open("/lib/libdl.so.2", O_RDONLY) = 6 open("/lib/libhistory.so.5", O_RDONLY) = 6 open("/lib/libreadline.so.5", O_RDONLY) = 6 open("/lib/libncurses.so.5", O_RDONLY) = 6 open("/lib/libc.so.6", O_RDONLY) = 6 open("/lib/libtinfo.so.5", O_RDONLY) = 6 open("/etc/localtime", O_RDONLY) = 6 open("/tmp/php.ini", O_RDONLY) = 6 open("/tmp/php-cli.ini", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/php/php-cli.ini", O_RDONLY) = 6 open("/etc/php/conf.d", O_RDONLY|O_NONBLOCK|O_LARGEFILE| O_DIRECTORY) = 6 open("/etc/php/conf.d/pcre.ini", O_RDONLY) = 6 open("/etc/php/conf.d/xml.ini", O_RDONLY) = 6 open("/usr/lib/php//../../../tmp/malicious.so", O_RDONLY) = 6 open("/usr/lib/php/pcre.so", O_RDONLY) = 6 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=34793&edit=1
