iliaa Sun, 26 Jul 2009 15:14:18 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=286360
Log: Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars restrictions). Bug: http://bugs.php.net/49026 (Open) proc_open() can bypass safe_mode_protected_env_vars restrictions Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/standard/proc_open.c U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/standard/proc_open.c Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2009-07-26 14:49:23 UTC (rev 286359) +++ php/php-src/branches/PHP_5_2/NEWS 2009-07-26 15:14:18 UTC (rev 286360) @@ -8,6 +8,8 @@ --with-curlwrappers). (Jani) - Fixed bug #49032 (SplFileObject::fscanf() variables passed by reference). (Jani) +- Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars + restrictions). (Ilia) - Fixed bug #48980 (Crash when compiling with pdo_firebird). (Felipe) - Fixed bug #48962 (cURL does not upload files with specified filename). (Ilia) Modified: php/php-src/branches/PHP_5_2/ext/standard/proc_open.c =================================================================== --- php/php-src/branches/PHP_5_2/ext/standard/proc_open.c 2009-07-26 14:49:23 UTC (rev 286359) +++ php/php-src/branches/PHP_5_2/ext/standard/proc_open.c 2009-07-26 15:14:18 UTC (rev 286360) @@ -30,6 +30,7 @@ #include "php_string.h" #include "safe_mode.h" #include "ext/standard/head.h" +#include "ext/standard/basic_functions.h" #include "ext/standard/file.h" #include "exec.h" #include "php_globals.h" @@ -152,6 +153,34 @@ if (string_length == 0) { continue; } + if (PG(safe_mode)) { + /* Check the protected list */ + if (zend_hash_exists(&BG(sm_protected_env_vars), string_key, string_length - 1)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot override protected environment variable '%s'", string_key); + return env; + } + /* Check the allowed list */ + if (BG(sm_allowed_env_vars) && *BG(sm_allowed_env_vars)) { + char *allowed_env_vars = estrdup(BG(sm_allowed_env_vars)); + char *strtok_buf = NULL; + char *allowed_prefix = php_strtok_r(allowed_env_vars, ", ", &strtok_buf); + zend_bool allowed = 0; + + while (allowed_prefix) { + if (!strncmp(allowed_prefix, string_key, strlen(allowed_prefix))) { + allowed = 1; + break; + } + allowed_prefix = php_strtok_r(NULL, ", ", &strtok_buf); + } + efree(allowed_env_vars); + if (!allowed) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot set environment variable '%s' - it's not in the allowed list", string_key); + return env; + } + } + } + l = string_length + el_len + 1; memcpy(p, string_key, string_length); strcat(p, "="); Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2009-07-26 14:49:23 UTC (rev 286359) +++ php/php-src/branches/PHP_5_3/NEWS 2009-07-26 15:14:18 UTC (rev 286360) @@ -11,6 +11,8 @@ --with-curlwrappers). (Jani) - Fixed bug #49032 (SplFileObject::fscanf() variables passed by reference). (Jani) +- Fixed bug #49026 (proc_open() can bypass safe_mode_protected_env_vars + restrictions). (Ilia) - Fixed bug #49012 (phar tar signature algorithm reports as Unknown (0) in getSignature() call). (Greg) - Fixed bug #49020 (phar misinterprets ustar long filename standard). Modified: php/php-src/branches/PHP_5_3/ext/standard/proc_open.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/standard/proc_open.c 2009-07-26 14:49:23 UTC (rev 286359) +++ php/php-src/branches/PHP_5_3/ext/standard/proc_open.c 2009-07-26 15:14:18 UTC (rev 286360) @@ -30,6 +30,7 @@ #include "php_string.h" #include "safe_mode.h" #include "ext/standard/head.h" +#include "ext/standard/basic_functions.h" #include "ext/standard/file.h" #include "exec.h" #include "php_globals.h" @@ -152,6 +153,34 @@ if (string_length == 0) { continue; } + if (PG(safe_mode)) { + /* Check the protected list */ + if (zend_hash_exists(&BG(sm_protected_env_vars), string_key, string_length - 1)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot override protected environment variable '%s'", string_key); + return env; + } + /* Check the allowed list */ + if (BG(sm_allowed_env_vars) && *BG(sm_allowed_env_vars)) { + char *allowed_env_vars = estrdup(BG(sm_allowed_env_vars)); + char *strtok_buf = NULL; + char *allowed_prefix = php_strtok_r(allowed_env_vars, ", ", &strtok_buf); + zend_bool allowed = 0; + + while (allowed_prefix) { + if (!strncmp(allowed_prefix, string_key, strlen(allowed_prefix))) { + allowed = 1; + break; + } + allowed_prefix = php_strtok_r(NULL, ", ", &strtok_buf); + } + efree(allowed_env_vars); + if (!allowed) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Safe Mode warning: Cannot set environment variable '%s' - it's not in the allowed list", string_key); + return env; + } + } + } + l = string_length + el_len + 1; memcpy(p, string_key, string_length); strcat(p, "=");
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
