ID: 16685 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Analyzed +Status: Closed Bug Type: Documentation problem Operating System: Linux PHP Version: 4.2.0 New Comment:
This has now been documented: http://cvs.php.net/cvs.php/phpdoc/en/features/safe-mode.xml Thanks for the report :) Previous Comments: ------------------------------------------------------------------------ [2002-09-29 22:59:57] [EMAIL PROTECTED] Unless you specify / at the end PHP will allow any path that will be begin with a specified string. Meaning that if /a/b/c is specified then /a/b/cde will be allowed. A note about this exists for nearly all directory limiting function, however it is absent from the docs on the safe_mode_include_dir option. Consquently, I am making this report a documentation issue. ------------------------------------------------------------------------ [2002-04-18 12:32:11] [EMAIL PROTECTED] I found that safe_mode_include_dir check is not correct. Here's why: resolved_name (the path in question) and ptr (a next directory from the safe_mode_include_dir list) are compared so: if (strncmp(ptr, resolved_name, strlen(ptr) ==0 ) let ptr="/var/www/script" and resolved_name="/var/www/scripts" obviously, they will match though it's wrong. It is necessary to add an extra check for trailing char (valid one is either a slash or \0) In fact, checking lengthes of those may save a bit CPU time (especially with the long list). Here's suggested patch (it also is available at http://www.cf1.ru/~byg/patch/php/safe_mode_include_dir.patch ftp://ftp.cf1.ru/pub/patches/php/safe_mode_include_dir.patch ): --- main/fopen_wrappers.c.orig Thu Apr 18 21:40:57 2002 +++ main/fopen_wrappers.c Thu Apr 18 23:02:55 2002 @@ -233,6 +233,7 @@ char *ptr; char *end; char resolved_name[MAXPATHLEN]; + int len; /* Resolve the real path into resolved_name */ if (expand_filepath(path, resolved_name TSRMLS_CC) == NULL) @@ -250,15 +251,20 @@ } /* Check the path */ + len = strlen(ptr); + if (strlen(resolved_name) >= len) { #ifdef PHP_WIN32 - if (strncasecmp(ptr, resolved_name, strlen(ptr)) == 0) + if (strncasecmp(ptr, resolved_name, len) == 0) #else - if (strncmp(ptr, resolved_name, strlen(ptr)) == 0) + if (strncmp(ptr, resolved_name, len) == 0) #endif - { - /* File is in the right directory */ - efree(pathbuf); - return 0; + { + if ((*(resolved_name + len) == DEFAULT_SLASH) || (*(resolved_name + len) == '\0')) { + /* File is in the right directory */ + efree(pathbuf); + return 0; + } + } } ptr = end; ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=16685&edit=1 -- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php