PHP :: Bug #40455 :: safe_mode_exec

Bug #40455	safe_mode_exec_dir gets executed
Submitted:	2007-02-13 02:00 UTC	Modified:	2007-02-13 15:56 UTC
From:	richton at nbcs dot rutgers dot edu	Assigned:
Status:	Closed	Package:	Safe Mode/open_basedir
PHP Version:	5CVS-2007-02-13 (snap)	OS:	Solaris
Private report:	No	CVE-ID:	None

View Developer Edit

[2007-02-13 02:00 UTC] richton at nbcs dot rutgers dot edu

Description:
------------
In PHP 5.2.1 and in snap 5.2 200702122330 the 
safe_mode_exec_dir gets executed. This did not occur in PHP 
5.2.0. I am using proc_open() here.

Reproduce code:
---------------
<?php
$descriptorspec = array(0 => array("pipe", "r"),  1 => array("pipe", "w"), 2 => array("pipe", "w"));
$process = proc_open("/bin/bash", $descriptorspec, $pipes);
?>


Expected result:
----------------
With safe mode off, expected result of /bin/bash getting 
executed from PHP. (Note truss is like strace if you're used 
to Linux.)

$ truss -f ./php -n  ./execdir.php 2>&1 | grep execve
17635:  execve("php", 0xFFBFFBE4, 0xFFBFFBF4)  argc = 3
17636:  execve("/bin/sh", 0xFFBFEFB8, 0xFFBFFBF4)  argc = 3
17638:  execve("/bin/bash", 0x0003A414, 0x0003A41C)  argc = 1

Expected: That this result should be possible with an 
appropriate safe_mode_exec_dir.

Actual result:
--------------
With safe mode on

$ truss -f ./php -n -d safe_mode=On -d safe_mode_exec_dir=/
bin ./execdir.php 2>&1 | grep execve
17642:  execve("php", 0xFFBFFBAC, 0xFFBFFBCC)  argc = 7
17643:  execve("/bin/sh", 0xFFBFEF80, 0xFFBFFBCC)  argc = 3
17645:  execve("/bin/", 0x0003A408, 0x0003A410)         
Err#13 EACCES

safe_mode_exec_dir "/bin" gets executed, despite code for "/
bin/bash." Note that this is not related to the incoming PHP 
code at all:

$ truss -f ./php -n -d safe_mode=On -d 
safe_mode_exec_dir=FOOBAR ./execdir.php 2>&1 | grep execve
17649:  execve("php", 0xFFBFFBAC, 0xFFBFFBCC)  argc = 7
17650:  execve("/bin/sh", 0xFFBFEF80, 0xFFBFFBCC)  argc = 3
17652:  execve("FOOBAR/", 0x0003A408, 0x0003A410)       
Err#2 ENOENT

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-02-13 09:07 UTC] tony2001@php.net

Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves. 

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external 
resources such as databases, etc. If the script requires a 
database to demonstrate the issue, please make sure it creates 
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

[2007-02-13 13:02 UTC] richton at nbcs dot rutgers dot edu

> To properly diagnose the problem, we
> need a short but complete example script to be able 
> to reproduce this bug ourselves.

And the script filed under "Reproduce code" doesn't meet 
this description how? I even show command lines with which 
to run it. Just in case it's not obvious: What was filed 
under "Reproduce code" in the original report is what I 
placed in "execdir.php" for the Result sections. Assuming 
you're on a system with /bin/bash existing, it's all you 
need to go.

[2007-02-13 13:08 UTC] tony2001@php.net

>Assuming you're on a system with /bin/bash existing, it's
>all you need to go.
Sorry, I've failed to guess what should be the expected result of this code and what is the actual result you get.
(Please no truss output. Thank you.)

[2007-02-13 13:51 UTC] richton at nbcs dot rutgers dot edu

OK, gotcha. The expected result of
$process = proc_open("/bin/bash", $descriptorspec, $pipes);

is that PHP will attempt to execute "/bin/bash". This is the actual result with Safe Mode off. The actual result of that code with safe mode on is that it ignores "/bin/bash" and attempts to execute the safe_mode_exec_dir (absurd, really; you can't run a directory), *silently throwing away* my "/bin/bash" parameter.

This would be like going to a command prompt, and (let's just assume that the safe_mode_exec_dir is /bin) typing "/bin/bash", and getting the message "/bin: is a directory." While that may be a true output, it's not what you typed -- if you type "/bin/bash", you expect "/bin/bash" to be attempted, and you certainly don't expect your input to be thrown away silently.

[2007-02-13 14:29 UTC] tony2001@php.net

Please try this patch:
http://tony2001.phpclub.net/dev/tmp/bug40455.diff

[2007-02-13 15:25 UTC] richton at nbcs dot rutgers dot edu

That patch makes my test case better, thanks.

[2007-02-13 15:56 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Mar 04 06:01:27 2025 UTC