#41899 [Fbk->Opn]: Can't open files with leading relative path of '..' and '..' is not readable
ID: 41899 User updated by: geoffwa at cs dot rmit dot edu dot au Reported By: geoffwa at cs dot rmit dot edu dot au -Status: Feedback +Status: Open Bug Type: Streams related Operating System: Solaris 10 PHP Version: 5.2.3 Assigned To: ab5602 New Comment: PHP5.2-200710080430 + your patch still doesn't work for either test case (also, shouldn't sizeof(filename) be sizeof(filename_test)?). $ ./php5.2-200710080430-fixed -dsafe_mode=1 test2.php Warning: mkdir(): Unable to access ./a in /pathto/test2.php on line 3 mkdir failed (so the initial mkdir("./a/b", 0700, true) call is failing) Stepping through the non-patched PHP5.2-200710080430 the error message is being generated from: if (mode != CHECKUID_ALLOW_ONLY_FILE) { /* check directory */ ret = VCWD_STAT(path, &sb); if (ret < 0) { if ((flags & CHECKUID_NO_ERRORS) == 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to access %s", filename); } return 0; } (line 147 in safe_mode.c) Previous Comments: [2007-10-10 01:01:42] [EMAIL PROTECTED] Geoffwa, when you get a chance, please let me know if applying the patch below to the current snapshot fixes the issue for you. [EMAIL PROTECTED]:~/mkdirtest]$ ./php-solfix -dsafe_mode=1 ./test2.php Current working directory is: /export/home/rob/mkdirtest Opened /export/home/rob/mkdirtest/a/b/file Opened ./a/b/file from ./a using ./b/file Opened ./a/b/file from ./a using ./b/c/../file Opened ./a/b/file from ./a/b/c using ../file Opened ../file from ./a/b/c using ./../file Opened ./a/b/file from ./a/b using ./file Opened ./a/file from ./a/b using ./c/../../file Opened ./a/b/c/file from ./a/b/c using ../c/file [EMAIL PROTECTED]:~/mkdirtest]$ ./php-solfix -dsafe_mode=1 ./test.php SUCCESS --- ./safe_mode.c.old 2007-09-23 10:19:21.0 -0500 +++ ./safe_mode.c 2007-10-09 19:39:44.0 -0500 @@ -86,7 +86,15 @@ * If that fails, passthrough and check directory... */ if (mode != CHECKUID_ALLOW_ONLY_DIR) { - expand_filepath(filename, path TSRMLS_CC); + +char filename_test[MAXPATHLEN]; +strcpy(filename_test,filename); +if (VCWD_GETCWD(filename_test, sizeof(filename)) == NULL) { +strcpy(path,filename); +} else { +expand_filepath(filename, path TSRMLS_CC); +} + ret = VCWD_STAT(path, &sb); if (ret < 0) { if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS) { [2007-10-09 20:34:59] [EMAIL PROTECTED] Thanks, that was it. I am able to reproduce the situation now. Have tracked the issue down to safe_mode.c, php_checkuid_ex(), as is shown above in the thread and am working with it. [2007-10-09 16:07:47] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.2-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.2-win32-installer-latest.msi [2007-10-09 06:58:42] geoffwa at cs dot rmit dot edu dot au Err are you running with safe mode on? $ ./php5.2-200710080430-debug -dsafe_mode=0 test2.php SUCCESS [2007-10-09 06:56:17] geoffwa at cs dot rmit dot edu dot au I can send you a tar, but I doubt that'll help matters. Here's the directory: --- drwxrwxrwx 2 geoffwa staff 512 Oct 9 16:44 . drwx-- 8 geoffwa staff 512 Oct 8 15:14 .. -rwx-- 1 geoffwa staff 3.7M Oct 9 16:23 php5.2-200710080430 -rwx-- 1 geoffwa staff 11M Oct 9 16:44 php5.2-200710080430-debug -rw--- 1 geoffwa staff 2.7K Oct 8 15:17 test.php -rw--- 1 geoffwa staff 301 Oct 8 15:21 test2.php --- (set . to 0777 for demonstration purposes) (run the smaller of the two example scripts) $ ./php5.2-200710080430-debug test2.php Warning: mkdir(): Unable to access ./a in /homedir/test2.php on line 3 mkdir failed The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/41899 -- Edit this bug report at http://bugs.php.net/?id=41899&edit=1
#41899 [Fbk->Opn]: Can't open files with leading relative path of '..' and '..' is not readable
ID: 41899 User updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Feedback +Status: Open Bug Type: Streams related Operating System: Solaris 10 PHP Version: 5.2.3 Assigned To: ab5602 New Comment: With php5.2-200710080430 the problem is worse, not better. I can't even mkdir() in my test script any more! produces: Warning: mkdir(): Unable to access ./a in /home/g/geoffwa/work/test/test2.php on line 3 mkdir failed Looking at truss, the last four syscalls are: getcwd("/home/g/geoffwa/work/test", 1024) = 0 resolvepath("./a", 0xFFBFD238, 1024)Err#2 ENOENT stat("a", 0xFFBFDF20) Err#2 ENOENT stat("a", 0xFFBFDF20) Err#2 ENOENT I'd also like to point out that the Solaris getcwd() works fine: (from the man page) The getcwd() function may fail if: EACCES A parent directory cannot be read to get its name. Previous Comments: [2007-10-08 03:04:17] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.2-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.2-win32-installer-latest.msi Try the latest CVS snapshot. Fixed the 41822 bug, which I feel is probably the same. [2007-09-17 09:48:37] ian at onlineloop dot com Unfortunately we are not in a position to wither wait for PHP6 nor immediately migrate to it when it does come out. We have too many users with too many scripts on our server, and telling over 800 people that they have to adjust their scripts in less than 6 months just doesn't work here :-( With the continuing failure to fix this bug, we are left in a very uncomfortable situation, either continue with the security hole loaded 5.1.6, or apply the patch you offered. No one from the PHP project has logged into the system we set up for them on an E3500 since 5 July 2007 either, so I'm really left wondering about the seriousness there is to actually fix this bug. Anyway, I have seen from the source for PHP that realpath is definately not a function from Sun. realplath is all from the PHP project itself, so the attempt to shovel off the blame to Sun (post from 6 Jul 3:16pm) is not justifiable. Besides, this all worked just fine up until PHP 5.2.0 came out... [2007-09-13 01:56:00] geoffwa at cs dot rmit dot edu dot au I'll stress again that while the patch may work, I'm not sure if it's 'correct' or not, mainly because I have no idaa what php_checkuid_ex() is supposed to return, safe_mode-isms like open_basedir may need it. I just traced the execution of the offending PHP script repeatedly for the failure case, and deduced that the expand_filepath() call in php_checkuid_ex() that I've removed in the patch was returning an empty path under similar conditions to where a getcwd() call would fail. The actual path blatting appeared to occur in virtual_file_ex(), and we produced a separate patch which completely short-circuited this function and also made the all test conditions work. Given that PHP6 is removing safe_mode completely, I imagine this problem will hopefully be fixed then :) [2007-09-12 11:53:14] ian at onlineloop dot com I've tried the patch offered by Geoff. It seems to work just fine for us too in the cvs version from today (php5.2-200709121030). [2007-09-12 10:38:34] ian at onlineloop dot com Verified that this is still not working in 5.2.4. We made a system available on a Sun E3500, partially for the purposes of fixing this bug. The last login from anyone from the PHP team was on 5 July 2007. Is there any time plan to fix this bug? We are running on Solaris 10 and are stuck on PHP 5.1.6 because of this problem, so the situation for us is critical. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/41899 -- Edit this bug report at http://bugs.php.net/?id=41899&edit=1
#41899 [Fbk->Opn]: Can't open files with leading relative path of '..' and '..' is not readable
ID: 41899 User updated by: geoffwa at cs dot rmit dot edu dot au Reported By: geoffwa at cs dot rmit dot edu dot au -Status: Feedback +Status: Open Bug Type: Streams related Operating System: Solaris 10 PHP Version: 5.2.3 New Comment: Is also broken in 5.2.0 and 5.2.2. Appears to be fixed in latest snapshot: > ./php-5.2-200707060030 -v PHP 5.2.4-dev (cli) (built: Jul 6 2007 10:59:53) Copyright (c) 1997-2007 The PHP Group Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies > ./php-5.2-200707060030 -f test.php Current working directory is: /home/g/geoffwa/test Opened /home/g/geoffwa/test/a/b/file Opened ./a/b/file from ./a using ./b/file Opened ./a/b/file from ./a using ./b/c/../file Opened ./a/b/file from ./a/b/c using ../file Opened ../file from ./a/b/c using ./../file Opened ./a/b/file from ./a/b using ./file Opened ./a/file from ./a/b using ./c/../../file Opened ./a/b/c/file from ./a/b/c using ../c/file Previous Comments: [2007-07-05 21:59:45] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5.2-latest.tar.gz For Windows (zip): http://snaps.php.net/win32/php5.2-win32-latest.zip For Windows (installer): http://snaps.php.net/win32/php5.2-win32-installer-latest.msi [2007-07-05 06:34:06] geoffwa at cs dot rmit dot edu dot au Description: (possibly related to bug #39953 or bug #39351) If a relative path to a file has '..' as a leading path component, and the directory referred to by '..' is not readable by the user, then opening a file using the relative path fails. Using an absolute path or a path with a non-'..' leading component opens said file just fine. Reproduce code: --- See http://goanna.cs.rmit.edu.au/~geoffwa/relative_path_bug.php for a large test script. Expected result: (Using PHP 5.1.4) Current working directory is: /home/g/geoffwa/test Opened /home/g/geoffwa/test/a/b/file Opened ./a/b/file from ./a using ./b/file Opened ./a/b/file from ./a using ./b/c/../file Opened ./a/b/file from ./a/b/c using ../file Opened ../file from ./a/b/c using ./../file Opened ./a/b/file from ./a/b using ./file Opened ./a/file from ./a/b using ./c/../../file Opened ./a/b/c/file from ./a/b/c using ../c/file Actual result: -- (Using PHP 5.2.3 + suhosin patch) Opened /home/g/geoffwa/test/a/b/file Opened ./a/b/file from ./a using ./b/file Opened ./a/b/file from ./a using ./b/c/../file Failed to open ./a/b/file from ./a/b/c using ../file Failed to open ./a/b/file from ./a/b/c using ./../file Opened ./a/b/file from ./a/b using ./file Opened ./a/file from ./a/b using ./c/../../file Failed to open ./a/b/c/file from ./a/b/c using ../c/file -- Edit this bug report at http://bugs.php.net/?id=41899&edit=1