Bug #46888 [Com]: copy() : safe_mode / allow_url_fopen does not allow opening urls
Edit report at https://bugs.php.net/bug.php?id=46888edit=1 ID: 46888 Comment by: maurice dot sienema at isp dot solcon dot nl Reported by:php at degoulet dot net Summary:copy() : safe_mode / allow_url_fopen does not allow opening urls Status: Verified Type: Bug Package:Safe Mode/open_basedir Operating System: * PHP Version:5.2.9 Block user comment: N Private report: N New Comment: I can reproduce this issue on PHP 5.3.13 Previous Comments: [2011-11-09 14:58:15] czigor at freemail dot hu Same here on php 5.2.17, Linux blue 2.6.37-fw2. [2011-05-20 02:32:41] macmiranda at gmail dot com same on centos 5.5 php 5.2.17 [2009-09-01 16:21:41] sjo...@php.net Could reproduce. With safe mode, files which are handled by stream wrappers are checked against the filesystem. This is wrong. [2009-05-15 14:04:27] christian at elmerot dot se You apply the patch using the command patch when you build PHP from the sourcecode. If you've never done this before I cannot recommend that you do this for something like PHP. If you still go ahead, download the PHP sourcecode, extract it and read the files (README and INSTALL). Check documentation for using the patch command (man patch). in general you save the patch to a file (lets call it safemode.patch) then you simply run patch main/safe_mode.c safemode.patch in the folder where you unpacked the source [2009-04-28 13:32:43] neo at nord-style dot com Hello, I've the same problem but I don't understand how use this patch. Actually safe_mode off but it's not a solution. How and Where Am i use this : --- diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c --- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.0 +0200 +++ php-5.2.8_1/main/safe_mode.c2008-12-17 15:01:07.502862702 +0100 @@ -52,6 +52,7 @@ long uid=0L, gid=0L, duid=0L, dgid=0L; char path[MAXPATHLEN]; char *s, filenamecopy[MAXPATHLEN]; + php_stream_wrapper *wrapper = NULL; TSRMLS_FETCH(); path[0] = '\0'; @@ -72,6 +73,15 @@ mode = CHECKUID_CHECK_FILE_AND_DIR; } } + + /* +* If given filepath is a URL, allow - safe mode stuff +* related to URL's is checked in individual functions +* Possibly/likely allows for safe_mode bypass!!! +*/ + wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC); + if ((wrapper != NULL) (strstr(filename, ..\/) == NULL)) + return 1; /* First we see if the file is owned by the same user... * If that fails, passthrough and check directory... --- Thx The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=46888 -- Edit this bug report at https://bugs.php.net/bug.php?id=46888edit=1
Bug #46888 [Com]: copy() : safe_mode / allow_url_fopen does not allow opening urls
Edit report at https://bugs.php.net/bug.php?id=46888edit=1 ID: 46888 Comment by: czigor at freemail dot hu Reported by:php at degoulet dot net Summary:copy() : safe_mode / allow_url_fopen does not allow opening urls Status: Verified Type: Bug Package:Safe Mode/open_basedir Operating System: * PHP Version:5.2.9 Block user comment: N Private report: N New Comment: Same here on php 5.2.17, Linux blue 2.6.37-fw2. Previous Comments: [2011-05-20 02:32:41] macmiranda at gmail dot com same on centos 5.5 php 5.2.17 [2009-09-01 16:21:41] sjo...@php.net Could reproduce. With safe mode, files which are handled by stream wrappers are checked against the filesystem. This is wrong. [2009-05-15 14:04:27] christian at elmerot dot se You apply the patch using the command patch when you build PHP from the sourcecode. If you've never done this before I cannot recommend that you do this for something like PHP. If you still go ahead, download the PHP sourcecode, extract it and read the files (README and INSTALL). Check documentation for using the patch command (man patch). in general you save the patch to a file (lets call it safemode.patch) then you simply run patch main/safe_mode.c safemode.patch in the folder where you unpacked the source [2009-04-28 13:32:43] neo at nord-style dot com Hello, I've the same problem but I don't understand how use this patch. Actually safe_mode off but it's not a solution. How and Where Am i use this : --- diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c --- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.0 +0200 +++ php-5.2.8_1/main/safe_mode.c2008-12-17 15:01:07.502862702 +0100 @@ -52,6 +52,7 @@ long uid=0L, gid=0L, duid=0L, dgid=0L; char path[MAXPATHLEN]; char *s, filenamecopy[MAXPATHLEN]; + php_stream_wrapper *wrapper = NULL; TSRMLS_FETCH(); path[0] = '\0'; @@ -72,6 +73,15 @@ mode = CHECKUID_CHECK_FILE_AND_DIR; } } + + /* +* If given filepath is a URL, allow - safe mode stuff +* related to URL's is checked in individual functions +* Possibly/likely allows for safe_mode bypass!!! +*/ + wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC); + if ((wrapper != NULL) (strstr(filename, ..\/) == NULL)) + return 1; /* First we see if the file is owned by the same user... * If that fails, passthrough and check directory... --- Thx [2009-03-12 13:44:07] fuxa_kos at unihost dot cz problem still in 5.2.9 The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at https://bugs.php.net/bug.php?id=46888 -- Edit this bug report at https://bugs.php.net/bug.php?id=46888edit=1
Bug #46888 [Com]: copy() : safe_mode / allow_url_fopen does not allow opening urls
Edit report at http://bugs.php.net/bug.php?id=46888edit=1 ID: 46888 Comment by: macmiranda at gmail dot com Reported by:php at degoulet dot net Summary:copy() : safe_mode / allow_url_fopen does not allow opening urls Status: Verified Type: Bug Package:Safe Mode/open_basedir Operating System: * PHP Version:5.2.9 Block user comment: N Private report: N New Comment: same on centos 5.5 php 5.2.17 Previous Comments: [2009-09-01 16:21:41] sjo...@php.net Could reproduce. With safe mode, files which are handled by stream wrappers are checked against the filesystem. This is wrong. [2009-05-15 14:04:27] christian at elmerot dot se You apply the patch using the command patch when you build PHP from the sourcecode. If you've never done this before I cannot recommend that you do this for something like PHP. If you still go ahead, download the PHP sourcecode, extract it and read the files (README and INSTALL). Check documentation for using the patch command (man patch). in general you save the patch to a file (lets call it safemode.patch) then you simply run patch main/safe_mode.c safemode.patch in the folder where you unpacked the source [2009-04-28 13:32:43] neo at nord-style dot com Hello, I've the same problem but I don't understand how use this patch. Actually safe_mode off but it's not a solution. How and Where Am i use this : --- diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c --- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.0 +0200 +++ php-5.2.8_1/main/safe_mode.c2008-12-17 15:01:07.502862702 +0100 @@ -52,6 +52,7 @@ long uid=0L, gid=0L, duid=0L, dgid=0L; char path[MAXPATHLEN]; char *s, filenamecopy[MAXPATHLEN]; + php_stream_wrapper *wrapper = NULL; TSRMLS_FETCH(); path[0] = '\0'; @@ -72,6 +73,15 @@ mode = CHECKUID_CHECK_FILE_AND_DIR; } } + + /* +* If given filepath is a URL, allow - safe mode stuff +* related to URL's is checked in individual functions +* Possibly/likely allows for safe_mode bypass!!! +*/ + wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC); + if ((wrapper != NULL) (strstr(filename, ..\/) == NULL)) + return 1; /* First we see if the file is owned by the same user... * If that fails, passthrough and check directory... --- Thx [2009-03-12 13:44:07] fuxa_kos at unihost dot cz problem still in 5.2.9 [2008-12-17 15:22:50] php at degoulet dot net thanks : this workaround works fine ! The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/bug.php?id=46888 -- Edit this bug report at http://bugs.php.net/bug.php?id=46888edit=1
#46888 [Com]: copy() : safe_mode / allow_url_fopen does not allow opening urls
ID: 46888 Comment by: christian at elmerot dot se Reported By: php at degoulet dot net Status: Open Bug Type: Safe Mode/open_basedir Operating System: * PHP Version: 5.2.9 New Comment: You apply the patch using the command patch when you build PHP from the sourcecode. If you've never done this before I cannot recommend that you do this for something like PHP. If you still go ahead, download the PHP sourcecode, extract it and read the files (README and INSTALL). Check documentation for using the patch command (man patch). in general you save the patch to a file (lets call it safemode.patch) then you simply run patch main/safe_mode.c safemode.patch in the folder where you unpacked the source Previous Comments: [2009-04-28 13:32:43] neo at nord-style dot com Hello, I've the same problem but I don't understand how use this patch. Actually safe_mode off but it's not a solution. How and Where Am i use this : --- diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c --- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.0 +0200 +++ php-5.2.8_1/main/safe_mode.c2008-12-17 15:01:07.502862702 +0100 @@ -52,6 +52,7 @@ long uid=0L, gid=0L, duid=0L, dgid=0L; char path[MAXPATHLEN]; char *s, filenamecopy[MAXPATHLEN]; + php_stream_wrapper *wrapper = NULL; TSRMLS_FETCH(); path[0] = '\0'; @@ -72,6 +73,15 @@ mode = CHECKUID_CHECK_FILE_AND_DIR; } } + + /* +* If given filepath is a URL, allow - safe mode stuff +* related to URL's is checked in individual functions +* Possibly/likely allows for safe_mode bypass!!! +*/ + wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC); + if ((wrapper != NULL) (strstr(filename, ..\/) == NULL)) + return 1; /* First we see if the file is owned by the same user... * If that fails, passthrough and check directory... --- Thx [2009-03-12 13:44:07] fuxa_kos at unihost dot cz problem still in 5.2.9 [2008-12-17 15:22:50] php at degoulet dot net thanks : this workaround works fine ! [2008-12-17 14:58:32] christian at elmerot dot se The following patch restores part of behaviour from 5.2.6 yet has an extra check to see if the URL contains ../ which is where the removal came from. It is not a 100% correct fix in that it still allows for unknown URL vectors to bypass safe_mode, however, it is less broken this way for us. Perhaps the patch will help someone else. Remember, this is a safe_mode bypass issue that was fixed and the underlying cause (URLs: http: mapping to a local file incorrectly) looks to me unfixed. To me it looks as if safe_mode fails in this case but it also do no extra harm that won't be allowed with safe_mode disabled. Have I missed something? diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c --- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.0 +0200 +++ php-5.2.8_1/main/safe_mode.c2008-12-17 15:01:07.502862702 +0100 @@ -52,6 +52,7 @@ long uid=0L, gid=0L, duid=0L, dgid=0L; char path[MAXPATHLEN]; char *s, filenamecopy[MAXPATHLEN]; + php_stream_wrapper *wrapper = NULL; TSRMLS_FETCH(); path[0] = '\0'; @@ -72,6 +73,15 @@ mode = CHECKUID_CHECK_FILE_AND_DIR; } } + + /* +* If given filepath is a URL, allow - safe mode stuff +* related to URL's is checked in individual functions +* Possibly/likely allows for safe_mode bypass!!! +*/ + wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC); + if ((wrapper != NULL) (strstr(filename, ..\/) == NULL)) + return 1; /* First we see if the file is owned by the same user... * If that fails, passthrough and check directory... [2008-12-17 14:44:14] php at degoulet dot net error msg : Warning: copy(): Unable to access http://www.x.com/testcopy/nok.jpg in //test.php The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/46888 -- Edit this bug report at http://bugs.php.net/?id=46888edit=1
#46888 [Com]: copy() : safe_mode / allow_url_fopen does not allow opening urls
ID: 46888 Comment by: neo at nord-style dot com Reported By: php at degoulet dot net Status: Open Bug Type: Safe Mode/open_basedir Operating System: * PHP Version: 5.2.9 New Comment: Hello, I've the same problem but I don't understand how use this patch. Actually safe_mode off but it's not a solution. How and Where Am i use this : --- diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c --- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.0 +0200 +++ php-5.2.8_1/main/safe_mode.c2008-12-17 15:01:07.502862702 +0100 @@ -52,6 +52,7 @@ long uid=0L, gid=0L, duid=0L, dgid=0L; char path[MAXPATHLEN]; char *s, filenamecopy[MAXPATHLEN]; + php_stream_wrapper *wrapper = NULL; TSRMLS_FETCH(); path[0] = '\0'; @@ -72,6 +73,15 @@ mode = CHECKUID_CHECK_FILE_AND_DIR; } } + + /* +* If given filepath is a URL, allow - safe mode stuff +* related to URL's is checked in individual functions +* Possibly/likely allows for safe_mode bypass!!! +*/ + wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC); + if ((wrapper != NULL) (strstr(filename, ..\/) == NULL)) + return 1; /* First we see if the file is owned by the same user... * If that fails, passthrough and check directory... --- Thx Previous Comments: [2009-03-12 13:44:07] fuxa_kos at unihost dot cz problem still in 5.2.9 [2008-12-17 15:22:50] php at degoulet dot net thanks : this workaround works fine ! [2008-12-17 14:58:32] christian at elmerot dot se The following patch restores part of behaviour from 5.2.6 yet has an extra check to see if the URL contains ../ which is where the removal came from. It is not a 100% correct fix in that it still allows for unknown URL vectors to bypass safe_mode, however, it is less broken this way for us. Perhaps the patch will help someone else. Remember, this is a safe_mode bypass issue that was fixed and the underlying cause (URLs: http: mapping to a local file incorrectly) looks to me unfixed. To me it looks as if safe_mode fails in this case but it also do no extra harm that won't be allowed with safe_mode disabled. Have I missed something? diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c --- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.0 +0200 +++ php-5.2.8_1/main/safe_mode.c2008-12-17 15:01:07.502862702 +0100 @@ -52,6 +52,7 @@ long uid=0L, gid=0L, duid=0L, dgid=0L; char path[MAXPATHLEN]; char *s, filenamecopy[MAXPATHLEN]; + php_stream_wrapper *wrapper = NULL; TSRMLS_FETCH(); path[0] = '\0'; @@ -72,6 +73,15 @@ mode = CHECKUID_CHECK_FILE_AND_DIR; } } + + /* +* If given filepath is a URL, allow - safe mode stuff +* related to URL's is checked in individual functions +* Possibly/likely allows for safe_mode bypass!!! +*/ + wrapper = php_stream_locate_url_wrapper(filename, NULL, STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC); + if ((wrapper != NULL) (strstr(filename, ..\/) == NULL)) + return 1; /* First we see if the file is owned by the same user... * If that fails, passthrough and check directory... [2008-12-17 14:44:14] php at degoulet dot net error msg : Warning: copy(): Unable to access http://www.x.com/testcopy/nok.jpg in //test.php [2008-12-17 14:17:58] php at degoulet dot net Description: copy() does not use the allow_url_fopen status ? Reproduce code: --- ?php // Fonction copie distante ne fonctionnant plus copy(http://www.xx.com/testcopy/nok.jpg;, nok_copy.jpg); ? Expected result: works fine in php 5.2.6 : with allow_url_fopen = On safe_mode = On doesn't work with the same config php 5.2.8 now, it works only if safe_mode off ? -- Edit this bug report at http://bugs.php.net/?id=46888edit=1