ID: 46888
Updated by: sjo...@php.net
Reported By: php at degoulet dot net
-Status: Open
+Status: Verified
Bug Type: Safe Mode/open_basedir
Operating System: *
PHP Version: 5.2.9
New Comment:
Could reproduce. With safe mode, files which are handled by stream
wrappers are checked against the filesystem. This is wrong.
Previous Comments:
------------------------------------------------------------------------
[2009-05-15 14:04:27] christian at elmerot dot se
You apply the patch using the command patch when you build PHP from the
sourcecode. If you've never done this before I cannot recommend that you
do this for something like PHP.
If you still go ahead, download the PHP sourcecode, extract it and read
the files (README and INSTALL). Check documentation for using the patch
command (man patch). in general you save the patch to a file (lets call
it safemode.patch) then you simply run "patch main/safe_mode.c <
safemode.patch" in the folder where you unpacked the source
------------------------------------------------------------------------
[2009-04-28 13:32:43] neo at nord-style dot com
Hello, I've the same problem but I don't understand how use this patch.
Actually safe_mode off but it's not a solution.
How and Where Am i use this :
---------------
diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c
--- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.000000000 +0200
+++ php-5.2.8_1/main/safe_mode.c 2008-12-17 15:01:07.502862702 +0100
@@ -52,6 +52,7 @@
long uid=0L, gid=0L, duid=0L, dgid=0L;
char path[MAXPATHLEN];
char *s, filenamecopy[MAXPATHLEN];
+ php_stream_wrapper *wrapper = NULL;
TSRMLS_FETCH();
path[0] = '\0';
@@ -72,6 +73,15 @@
mode = CHECKUID_CHECK_FILE_AND_DIR;
}
}
+
+ /*
+ * If given filepath is a URL, allow - safe mode stuff
+ * related to URL's is checked in individual functions
+ * Possibly/likely allows for safe_mode bypass!!!
+ */
+ wrapper = php_stream_locate_url_wrapper(filename, NULL,
STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC);
+ if ((wrapper != NULL) && (strstr(filename, "..\/") == NULL))
+ return 1;
/* First we see if the file is owned by the same user...
* If that fails, passthrough and check directory...
---------------
Thx
------------------------------------------------------------------------
[2009-03-12 13:44:07] fuxa_kos at unihost dot cz
problem still in 5.2.9
------------------------------------------------------------------------
[2008-12-17 15:22:50] php at degoulet dot net
thanks : this workaround works fine !
------------------------------------------------------------------------
[2008-12-17 14:58:32] christian at elmerot dot se
The following patch restores part of behaviour from 5.2.6 yet has an
extra check to see if the URL contains "../" which is where the removal
came from. It is not a 100% correct "fix" in that it still allows for
unknown URL vectors to bypass safe_mode, however, it is less broken this
way for us. Perhaps the patch will help someone else.
Remember, this is a safe_mode bypass issue that was fixed and the
underlying cause (URLs: http: mapping to a local file incorrectly) looks
to me unfixed. To me it looks as if safe_mode fails in this case but it
also do no "extra" harm that won't be allowed with safe_mode disabled.
Have I missed something?
diff -Nur php-5.2.8/main/safe_mode.c php-5.2.8_1/main/safe_mode.c
--- php-5.2.8/main/safe_mode.c 2008-07-24 18:01:59.000000000 +0200
+++ php-5.2.8_1/main/safe_mode.c 2008-12-17 15:01:07.502862702 +0100
@@ -52,6 +52,7 @@
long uid=0L, gid=0L, duid=0L, dgid=0L;
char path[MAXPATHLEN];
char *s, filenamecopy[MAXPATHLEN];
+ php_stream_wrapper *wrapper = NULL;
TSRMLS_FETCH();
path[0] = '\0';
@@ -72,6 +73,15 @@
mode = CHECKUID_CHECK_FILE_AND_DIR;
}
}
+
+ /*
+ * If given filepath is a URL, allow - safe mode stuff
+ * related to URL's is checked in individual functions
+ * Possibly/likely allows for safe_mode bypass!!!
+ */
+ wrapper = php_stream_locate_url_wrapper(filename, NULL,
STREAM_LOCATE_WRAPPERS_ONLY TSRMLS_CC);
+ if ((wrapper != NULL) && (strstr(filename, "..\/") == NULL))
+ return 1;
/* First we see if the file is owned by the same user...
* If that fails, passthrough and check directory...
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/46888
--
Edit this bug report at http://bugs.php.net/?id=46888&edit=1
