#38670 [Opn]: Whole 4.4.x branch has problem with open_basedir option nested from Apache2

serokka at hrn dot ru Sat, 16 Sep 2006 01:47:47 -0700

 ID:               38670
 User updated by:  serokka at hrn dot ru
 Reported By:      serokka at hrn dot ru
 Status:           Open
 Bug Type:         *Configuration Issues
 Operating System: FreeBSD 4.10
 PHP Version:      4.4.4
 New Comment:


I have checked the diffs of session.c implementations between 4.3.11
and php4-latest-snapshot, here is the same that brought my attention.

As i understand correctly, there is implementation of checking
boundaries such as open_basedir at runtime if it was got from Apache
VirtualHost section.

So, the problem was from the beginning of 4 branch??? Is there a
security leak, cause sessions sometimes got their paths from other
VirtualHost???
------------------------------------------------------------
@@ -117,6 +117,20 @@ static PHP_INI_MH(OnUpdateSerializer)
        return SUCCESS;
 }

+static PHP_INI_MH(OnUpdateSaveDir) {
+       /* Only do the safemode/open_basedir check at runtime */
+       if(stage == PHP_INI_STAGE_RUNTIME) {
+               if (PG(safe_mode) && (!php_checkuid(new_value, NULL,
CHECKUID_ALLOW_ONLY_DIR))) {
+                       return FAILURE;
+               }
+
+               if (php_check_open_basedir(new_value TSRMLS_CC)) {
+                       return FAILURE;
+               }
+       }
+       OnUpdateString(entry, new_value, new_value_length, mh_arg1,
mh_arg2, mh_arg3, stage TSRMLS_CC);
+       return SUCCESS;
+}

 /* {{{ PHP_INI
  */
@@ -124,9 +138,9 @@ PHP_INI_BEGIN()
        STD_PHP_INI_BOOLEAN("session.bug_compat_42",    "1",        
PHP_INI_ALL, OnUpdateBool,   bug_compat,         php_ps_glo
bals,    ps_globals)
        STD_PHP_INI_BOOLEAN("session.bug_compat_warn",  "1",        
PHP_INI_ALL, OnUpdateBool,   bug_compat_warn,    php_ps_glo
bals,    ps_globals)
 #ifdef PHP_WIN32
-       STD_PHP_INI_ENTRY("session.save_path",          "",     
PHP_INI_ALL, OnUpdateString, save_path,          php_ps_globals
,    ps_globals)
+       STD_PHP_INI_ENTRY("session.save_path",          "",         
PHP_INI_ALL, OnUpdateSaveDir,save_path,          php_ps_glo
bals,    ps_globals)
 #else
-       STD_PHP_INI_ENTRY("session.save_path",          "/tmp",     
PHP_INI_ALL, OnUpdateString, save_path,          php_ps_glo
bals,    ps_globals)
+       STD_PHP_INI_ENTRY("session.save_path",          "/tmp",     
PHP_INI_ALL, OnUpdateSaveDir,save_path,          php_ps_glo
bals,    ps_globals)
 #endif
        STD_PHP_INI_ENTRY("session.name",               "PHPSESSID",
PHP_INI_ALL, OnUpdateString, session_name,       php_ps_glo
bals,    ps_globals)
        PHP_INI_ENTRY("session.save_handler",           "files",    
PHP_INI_ALL, OnUpdateSaveHandler)


Previous Comments:
------------------------------------------------------------------------

[2006-09-16 07:56:20] serokka at hrn dot ru

With the latest snapshot we have the same problem.

------------------------------------------------------------------------

[2006-09-14 01:00:01] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

------------------------------------------------------------------------

[2006-09-06 09:56:22] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip



------------------------------------------------------------------------

[2006-08-31 12:29:21] serokka at hrn dot ru

Description:
------------
I got a problem with open_basedir between Apache's (2.0.55) virtual
hosts.

This error appeared in 4.4.x branch!
PHP 4.3.11 does NOT have this error.

----------------------------------------
Warning: Unknown(): open_basedir restriction in effect.
File(/pub/home/xxxxxxx/tmp) is not within the allowed path(s):
(/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/php/lib/php:/usr/local/mysql/bin:/pub/home/yyyyyyyy)
in Unknown on line 0
----------------------------------------

This is very serious bug and it stops us from using PHP 4.4.x

Reproduce code:
---------------
<VirtualHost aaa.aaa.aaa.aaa:80>
..............
    php_admin_value doc_root '/pub/home/xxxxxxx'
    php_admin_value upload_tmp_dir '/pub/home/xxxxxxx/tmp'
    php_admin_value session.save_path '/pub/home/xxxxxxx/tmp'
    php_admin_value open_basedir
'/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/php/lib/php:/usr/local/
mysql/bin:/pub/home/xxxxxxx'
..............
</VirtualHost>

<VirtualHost aaa.aaa.aaa.aaa:80>
..............
    php_admin_value doc_root '/pub/home/yyyyyyyy'
    php_admin_value upload_tmp_dir '/pub/home/yyyyyyyy/tmp'
    php_admin_value session.save_path '/pub/home/yyyyyyyy/tmp'
    php_admin_value open_basedir
'/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/php/lib/php:/usr/local/
mysql/bin:/pub/home/yyyyyyyy'
..............
</VirtualHost>




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=38670&edit=1

#38670 [Opn]: Whole 4.4.x branch has problem with open_basedir option nested from Apache2

Reply via email to