ID: 47318 Updated by: paj...@php.net Reported By: stas at zend dot com -Status: Assigned +Status: Closed Bug Type: PHP options/info functions Operating System: * PHP Version: 5.3CVS-2009-02-05 (CVS) Assigned To: pajoye New Comment:
This bug has been fixed in CVS. Snapshots of the sources are packaged every three hours; this change will be in the next snapshot. You can grab the snapshot at http://snaps.php.net/. Thank you for the report, and for helping us make PHP better. Previous Comments: ------------------------------------------------------------------------ [2009-06-16 23:44:39] s...@php.net The patch needs one change: if the path is inside docroot, it should check up to docroot, otherwise it should take current dir only (now it looks like it ignores it completely). ------------------------------------------------------------------------ [2009-05-26 01:00:01] php-bugs at lists dot php dot net No feedback was provided for this bug for over a week, so it is being suspended automatically. If you are able to provide the information that was originally requested, please do so and change the status of the bug back to "Open". ------------------------------------------------------------------------ [2009-05-18 17:13:18] paj...@php.net Patch proposal: http://pastebin.com/m55fa609d It also slightly changes the behaviors: - if the current script is not inside the DOCUMENT_ROOT, the path is not processed - it also checks if the path is an absolute path and get the real path if not (to test against the doc_root) Stas, Jani: can you test it please before I commit it? ------------------------------------------------------------------------ [2009-02-05 18:45:37] stas at zend dot com Description: ------------ In function sapi_cgi_activate, php_cgi_ini_activate_user_config is called with path of the current script and third parameter 'start' which is document_root length - 1. Then, the following code is used: ptr = path + start; /* start is the point where doc_root ends! */ while ((ptr = strchr(ptr, DEFAULT_SLASH)) != NULL) { However, in general, path is not guaranteed to be residing in DOCUMENT_ROOT. While usually it is the case, there could be rewriting/aliasing scenarios that would call PHP on files outside document root. Or the user can invoke PHP binary by himself too (having DOCUMENT_ROOT set independently, but not intending to use it). In such cases, DOCUMENT_ROOT length has no relation to path length, which makes ptr point either to random place inside string if DOCUMENT_ROOT is short, or to random unallocated place in memory if it is longer than current path. Reproduce code: --------------- One can easily reproduce it by setting DOCUMENT_ROOT to very long string and running PHP CGI under valgrind with parameter being some short script path. Actual result: -------------- ==15115== Invalid read of size 1 ==15115== at 0x400609A: index (mc_replace_strmem.c:164) ==15115== by 0x84CE159: php_cgi_ini_activate_user_config (cgi_main.c:716) ==15115== by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778) ==15115== by 0x83DA5C1: sapi_activate (SAPI.c:392) ==15115== by 0x83D08AC: php_request_startup (main.c:1342) ==15115== by 0x84D04C1: main (cgi_main.c:1961) ==15115== Address 0x4A65693 is 5 bytes before a block of size 50 alloc'd ==15115== at 0x4005400: malloc (vg_replace_malloc.c:149) ==15115== by 0x844B09C: __zend_malloc (zend_alloc.h:81) ==15115== by 0x844ADC2: _zend_hash_add_or_update (zend_hash.c:247) ==15115== by 0x84CE0E9: php_cgi_ini_activate_user_config (cgi_main.c:704) ==15115== by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778) ==15115== by 0x83DA5C1: sapi_activate (SAPI.c:392) ==15115== by 0x83D08AC: php_request_startup (main.c:1342) ==15115== by 0x84D04C1: main (cgi_main.c:1961) ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=47318&edit=1