ID: 40326
Comment by: lthomas at cs dot umn dot edu
Reported By: sborrill at precedence dot co dot uk
Status: Open
Bug Type: Streams related
Operating System: NetBSD 3.1_STABLE
PHP Version: 5.2.0
New Comment:
"[3 Feb 9:32am UTC] sborrill at precedence dot co dot uk" suggested
that this is 100% reproducible when using PHP within UserDir. I've
encountered the bug both within and without UserDir.
With UserDir:
Apache 2.2.4 & PHP 5.2.1 in Solaris 8
Without UserDir:
Apache 2.0.59 & PHP 5.2.1 in Solaris 8
Previous Comments:
------------------------------------------------------------------------
[2007-02-23 11:51:57] sborrill at precedence dot co dot uk
What sort of account? FTP/ssh/something else? Alternatively, big thanks
to tlaramie at superb dot net for offering a suitable account.
The error was introduced in revision 1.74.2.9.2.4 and is around line
584 for TSRM/tsrm_virtual_cwd.c in the loop that begins:
ptr = tsrm_strtok_r(path_copy, TOKENIZER_STRING, &tok);
This loop is not run in 1.74.2.9.2.3 if the cwdlen is 0. With
1.74.2.9.2.4 and later it is always run and so prepends a / on the file
name, i.e. the actual file that is opened with fopen("file","r") is
"/file". This strikes me as a potential security problem too.
------------------------------------------------------------------------
[2007-02-23 09:47:34] tlaramie at superb dot net
I can replicate the issue verbatim on PHP 5.2.1 on Solaris 9 (SPARC).
Login information for testing by one of the developers is available per
their request.
------------------------------------------------------------------------
[2007-02-20 01:00:00] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
------------------------------------------------------------------------
[2007-02-12 17:49:28] [EMAIL PROTECTED]
Please provide an account on this machine.
------------------------------------------------------------------------
[2007-02-10 21:39:07] sborrill at precedence dot co dot uk
I've tracked this down to changes to virtual_file_ex() which is called
from expand_filepath(). expand_filepath() returns "/file" from "file"
with 5.2.0 (and later), but returns "file" with 5.1.6 and earlier. This
is down to changes between revisions 1.74.2.9 (v5.1.6) and 1.74.2.9.2.9
(v5.2.0) of TSRM/tsrm_virtual_cwd.c. I've not yet tracked it down
further.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/40326
--
Edit this bug report at http://bugs.php.net/?id=40326&edit=1
