subject:"#41899 \[Fbk\->Opn\]\: Can't open files with leading relative path of '..' and '..' is not readable"

#41899 [Fbk->Opn]: Can't open files with leading relative path of '..' and '..' is not readable

2007-10-09 Thread geoffwa at cs dot rmit dot edu dot au

 ID:   41899
 User updated by:  geoffwa at cs dot rmit dot edu dot au
 Reported By:  geoffwa at cs dot rmit dot edu dot au
-Status:   Feedback
+Status:   Open
 Bug Type: Streams related
 Operating System: Solaris 10
 PHP Version:  5.2.3
 Assigned To:  ab5602
 New Comment:

PHP5.2-200710080430 + your patch still doesn't work for either test
case (also, shouldn't sizeof(filename) be sizeof(filename_test)?).

$ ./php5.2-200710080430-fixed -dsafe_mode=1 test2.php

Warning: mkdir(): Unable to access ./a in /pathto/test2.php on line 3
mkdir failed

(so the initial mkdir("./a/b", 0700, true) call is failing)

Stepping through the non-patched PHP5.2-200710080430 the error message
is being generated from:

if (mode != CHECKUID_ALLOW_ONLY_FILE) {
   /* check directory */
   ret = VCWD_STAT(path, &sb);
   if (ret < 0) {
  if ((flags & CHECKUID_NO_ERRORS) == 0) {
 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to access
%s", filename);
  }
  return 0;
   }

(line 147 in safe_mode.c)


Previous Comments:


[2007-10-10 01:01:42] [EMAIL PROTECTED]

Geoffwa, when you get a chance, please let me know if applying the
patch below to the current snapshot fixes the issue for you.

[EMAIL PROTECTED]:~/mkdirtest]$ ./php-solfix -dsafe_mode=1
./test2.php
Current working directory is: /export/home/rob/mkdirtest
Opened /export/home/rob/mkdirtest/a/b/file
Opened ./a/b/file from ./a using ./b/file
Opened ./a/b/file from ./a using ./b/c/../file
Opened ./a/b/file from ./a/b/c using ../file
Opened ../file from ./a/b/c using ./../file
Opened ./a/b/file from ./a/b using ./file
Opened ./a/file from ./a/b using ./c/../../file
Opened ./a/b/c/file from ./a/b/c using ../c/file
[EMAIL PROTECTED]:~/mkdirtest]$ ./php-solfix -dsafe_mode=1 ./test.php
SUCCESS



--- ./safe_mode.c.old   2007-09-23 10:19:21.0 -0500
+++ ./safe_mode.c   2007-10-09 19:39:44.0 -0500
@@ -86,7 +86,15 @@
 * If that fails, passthrough and check directory...
 */
if (mode != CHECKUID_ALLOW_ONLY_DIR) {
-   expand_filepath(filename, path TSRMLS_CC);
+
+char filename_test[MAXPATHLEN];
+strcpy(filename_test,filename);
+if (VCWD_GETCWD(filename_test, sizeof(filename)) ==
NULL) {
+strcpy(path,filename);
+} else {
+expand_filepath(filename, path TSRMLS_CC);
+}
+
ret = VCWD_STAT(path, &sb);
if (ret < 0) {
if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS)
{




[2007-10-09 20:34:59] [EMAIL PROTECTED]


Thanks, that was it.  I am able to reproduce the situation now.

Have tracked the issue down to safe_mode.c, php_checkuid_ex(), as is
shown above in the thread and am working with it.




[2007-10-09 16:07:47] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi





[2007-10-09 06:58:42] geoffwa at cs dot rmit dot edu dot au

Err are you running with safe mode on?

$ ./php5.2-200710080430-debug -dsafe_mode=0 test2.php
SUCCESS



[2007-10-09 06:56:17] geoffwa at cs dot rmit dot edu dot au

I can send you a tar, but I doubt that'll help matters. Here's the
directory:

---
drwxrwxrwx 2 geoffwa staff  512 Oct  9 16:44 .
drwx-- 8 geoffwa staff  512 Oct  8 15:14 ..
-rwx-- 1 geoffwa staff 3.7M Oct  9 16:23 php5.2-200710080430
-rwx-- 1 geoffwa staff  11M Oct  9 16:44 php5.2-200710080430-debug
-rw--- 1 geoffwa staff 2.7K Oct  8 15:17 test.php
-rw--- 1 geoffwa staff  301 Oct  8 15:21 test2.php
---
(set . to 0777 for demonstration purposes)

(run the smaller of the two example scripts)
$ ./php5.2-200710080430-debug test2.php
Warning: mkdir(): Unable to access ./a in /homedir/test2.php on line 3
mkdir failed



The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/41899

-- 
Edit this bug report at http://bugs.php.net/?id=41899&edit=1

#41899 [Fbk->Opn]: Can't open files with leading relative path of '..' and '..' is not readable

2007-10-07 Thread [EMAIL PROTECTED]

 ID:   41899
 User updated by:  [EMAIL PROTECTED]
 Reported By:  [EMAIL PROTECTED]
-Status:   Feedback
+Status:   Open
 Bug Type: Streams related
 Operating System: Solaris 10
 PHP Version:  5.2.3
 Assigned To:  ab5602
 New Comment:

With php5.2-200710080430 the problem is worse, not better.

I can't even mkdir() in my test script any more!



produces:
Warning: mkdir(): Unable to access ./a in
/home/g/geoffwa/work/test/test2.php on line 3
mkdir failed

Looking at truss, the last four syscalls are:
getcwd("/home/g/geoffwa/work/test", 1024)   = 0
resolvepath("./a", 0xFFBFD238, 1024)Err#2 ENOENT
stat("a", 0xFFBFDF20)   Err#2 ENOENT
stat("a", 0xFFBFDF20)   Err#2 ENOENT

I'd also like to point out that the Solaris getcwd() works fine:
(from the man page)

The getcwd() function may fail if:

EACCES  A parent directory cannot be read to get its
name.


Previous Comments:


[2007-10-08 03:04:17] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi

Try the latest CVS snapshot.  Fixed the 41822 bug, which I feel is
probably the same.



[2007-09-17 09:48:37] ian at onlineloop dot com

Unfortunately we are not in a position to wither wait for PHP6 nor 
immediately migrate to it when it does come out.  We have too many 
users with too many scripts on our server, and telling over 800 
people that they have to adjust their scripts in less than 6 months 
just doesn't work here :-(  

With the continuing failure to fix this bug, we are left in a very 
uncomfortable situation, either continue with the security hole 
loaded 5.1.6, or apply the patch you offered.  No one from the PHP
project has logged into the system we set up for them on an E3500 since
5 July 2007 either, so I'm really left wondering about the seriousness
there is to actually fix this bug.

Anyway, I have seen from the source for PHP that realpath is 
definately not a function from Sun.  realplath is all from the PHP 
project itself, so the attempt to shovel off the blame to Sun (post 
from 6 Jul 3:16pm) is not justifiable.  Besides, this all worked just 
fine up until PHP 5.2.0 came out...



[2007-09-13 01:56:00] geoffwa at cs dot rmit dot edu dot au

I'll stress again that while the patch may work, I'm not sure if it's
'correct' or not, mainly because I have no idaa what php_checkuid_ex()
is supposed to return, safe_mode-isms like open_basedir may need it.

I just traced the execution of the offending PHP script repeatedly for
the failure case, and deduced that the expand_filepath() call in
php_checkuid_ex() that I've removed in the patch was returning an empty
path under similar conditions to where a getcwd() call would fail.

The actual path blatting appeared to occur in virtual_file_ex(), and we
produced a separate patch which completely short-circuited this function
and also made the all test conditions work.

Given that PHP6 is removing safe_mode completely, I imagine this
problem will hopefully be fixed then :)



[2007-09-12 11:53:14] ian at onlineloop dot com

I've tried the patch offered by Geoff.  It seems to work just fine for
us too in the cvs version from today (php5.2-200709121030).



[2007-09-12 10:38:34] ian at onlineloop dot com

Verified that this is still not working in 5.2.4.

We made a system available on a Sun E3500, partially for the purposes
of fixing this bug.  The last login from anyone from the PHP team was on
5 July 2007.

Is there any time plan to fix this bug?  We are running on Solaris 10
and are stuck on PHP 5.1.6 because of this problem, so the situation for
us is critical.



The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/41899

-- 
Edit this bug report at http://bugs.php.net/?id=41899&edit=1

#41899 [Fbk->Opn]: Can't open files with leading relative path of '..' and '..' is not readable

2007-07-05 Thread geoffwa at cs dot rmit dot edu dot au

 ID:   41899
 User updated by:  geoffwa at cs dot rmit dot edu dot au
 Reported By:  geoffwa at cs dot rmit dot edu dot au
-Status:   Feedback
+Status:   Open
 Bug Type: Streams related
 Operating System: Solaris 10
 PHP Version:  5.2.3
 New Comment:

Is also broken in 5.2.0 and 5.2.2.

Appears to be fixed in latest snapshot:
> ./php-5.2-200707060030 -v
PHP 5.2.4-dev (cli) (built: Jul  6 2007 10:59:53) 
Copyright (c) 1997-2007 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies

> ./php-5.2-200707060030 -f test.php
Current working directory is: /home/g/geoffwa/test
Opened /home/g/geoffwa/test/a/b/file
Opened ./a/b/file from ./a using ./b/file
Opened ./a/b/file from ./a using ./b/c/../file
Opened ./a/b/file from ./a/b/c using ../file
Opened ../file from ./a/b/c using ./../file
Opened ./a/b/file from ./a/b using ./file
Opened ./a/file from ./a/b using ./c/../../file
Opened ./a/b/c/file from ./a/b/c using ../c/file


Previous Comments:


[2007-07-05 21:59:45] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows (zip):
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

For Windows (installer):

  http://snaps.php.net/win32/php5.2-win32-installer-latest.msi





[2007-07-05 06:34:06] geoffwa at cs dot rmit dot edu dot au

Description:

(possibly related to bug #39953 or bug #39351)

If a relative path to a file has '..' as a leading path component,
and the directory referred to by '..' is not readable by the user,
then opening a file using the relative path fails.

Using an absolute path or a path with a non-'..' leading component
opens said file just fine.



Reproduce code:
---
See http://goanna.cs.rmit.edu.au/~geoffwa/relative_path_bug.php
for a large test script.

Expected result:

(Using PHP 5.1.4)
Current working directory is: /home/g/geoffwa/test
Opened /home/g/geoffwa/test/a/b/file
Opened ./a/b/file from ./a using ./b/file
Opened ./a/b/file from ./a using ./b/c/../file
Opened ./a/b/file from ./a/b/c using ../file
Opened ../file from ./a/b/c using ./../file
Opened ./a/b/file from ./a/b using ./file
Opened ./a/file from ./a/b using ./c/../../file
Opened ./a/b/c/file from ./a/b/c using ../c/file


Actual result:
--
(Using PHP 5.2.3 + suhosin patch)
Opened /home/g/geoffwa/test/a/b/file
Opened ./a/b/file from ./a using ./b/file
Opened ./a/b/file from ./a using ./b/c/../file
Failed to open ./a/b/file from ./a/b/c using ../file
Failed to open ./a/b/file from ./a/b/c using ./../file
Opened ./a/b/file from ./a/b using ./file
Opened ./a/file from ./a/b using ./c/../../file
Failed to open ./a/b/c/file from ./a/b/c using ../c/file






-- 
Edit this bug report at http://bugs.php.net/?id=41899&edit=1

#41899 [Fbk->Opn]: Can't open files with leading relative path of '..' and '..' is not readable

#41899 [Fbk->Opn]: Can't open files with leading relative path of '..' and '..' is not readable

#41899 [Fbk->Opn]: Can't open files with leading relative path of '..' and '..' is not readable

3 matches

Site Navigation

Mail list logo

Footer information