ID: 30489
User updated by: guth at fiifo dot u-psud dot fr
Reported By: guth at fiifo dot u-psud dot fr
Status: Bogus
Bug Type: Zend Engine 2 problem
Operating System: Linux
PHP Version: 5.0.2
New Comment:
I know it is up to the PHP programmer to take care of.
But you know perfectly well that you can't trust PHP programmers.
Most of them don't know about this sort of security problems and it
should be at least documented in the security part of the
documentation.
Some providers (ie : free.fr) disallow \0 in includes.
Is it possible to add a configuration directive in the php.ini file to
disally null characters ?
Additionaly, I asked for file :
/www/includes/../backups/Database.xml\0.class.php
Not file :
/www/backups/Database.xml
Last thing, I can't test files with pathinfo(), because of this
function returns for "test.xml\0" :
array(2) { ["dirname"]=> string(5) "../.." ["basename"]=> string(10)
"test.xml\0" }
So there is a problem if the files are in the same directory as PHP
files...
Previous Comments:
------------------------------------------------------------------------
[2004-10-20 09:52:49] [EMAIL PROTECTED]
Sorry, but your problem does not imply a bug in PHP itself. For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions.
Thank you for your interest in PHP.
This is up to the PHP programmer to take care of. We can not simply
strip out \0's as in some encodings (japanese) it's perfectly valid to
have that \0 as part of a multi-byte character.
------------------------------------------------------------------------
[2004-10-20 09:50:51] guth at fiifo dot u-psud dot fr
Description:
------------
hello,
includes (include, require, etc.) are not binary safe.
It is very dangerous for beginners, who often use includes with
parameters.
In the following example, i kwow that you can test the file name with
pathinfo() but the current PHP behaviour is incorrect.
Reproduce code:
---------------
<?php
$file = $_GET['file'];
$path = $_SERVER['DOCUMENT_ROOT']."/includes/".$file.".class.php";
if(is_file($path)) {
include $path;
}
?>
Expected result:
----------------
index.php?file=Forum
Should work.
I suppose that the directory backups/Database.xml is protected by a
.htaccess and is not accessible with your browser.
index.php?file=../backups/Dabatase.xml%00
Should not work.
Actual result:
--------------
index.php?file=Forum
Should work.
index.php?file=../backups/Dabatase.xml%00
Works !
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=30489&edit=1
