PHP :: Bug #47318 :: UMR when trying to activate user config

Bug #47318	UMR when trying to activate user config
Submitted:	2009-02-05 18:45 UTC	Modified:	2009-06-17 21:16 UTC
From:	stas at zend dot com	Assigned:	pajoye (profile)
Status:	Closed	Package:	PHP options/info functions
PHP Version:	5.3CVS-2009-02-05 (CVS)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

[2009-02-05 18:45 UTC] stas at zend dot com

Description:
------------
In function sapi_cgi_activate, php_cgi_ini_activate_user_config is called with path of the current script and third parameter 'start' which is document_root length - 1. Then, the following code is used:

		ptr = path + start; /* start is the point where doc_root ends! */
		while ((ptr = strchr(ptr, DEFAULT_SLASH)) != NULL) {


However, in general, path is not guaranteed to be residing in DOCUMENT_ROOT. While usually it is the case, there could be rewriting/aliasing scenarios that would call PHP on files outside document root. Or the user can invoke PHP binary by himself too (having DOCUMENT_ROOT set independently, but not intending to use it). 
In such cases, DOCUMENT_ROOT length has no relation to path length, which makes ptr point either to random place inside string if DOCUMENT_ROOT is short, or to random unallocated place in memory if it is longer than current path. 

Reproduce code:
---------------
One can easily reproduce it by setting DOCUMENT_ROOT to very long string and running PHP CGI under valgrind with parameter being some short script path. 

Actual result:
--------------
==15115== Invalid read of size 1
==15115==    at 0x400609A: index (mc_replace_strmem.c:164)
==15115==    by 0x84CE159: php_cgi_ini_activate_user_config (cgi_main.c:716)
==15115==    by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778)
==15115==    by 0x83DA5C1: sapi_activate (SAPI.c:392)
==15115==    by 0x83D08AC: php_request_startup (main.c:1342)
==15115==    by 0x84D04C1: main (cgi_main.c:1961)
==15115==  Address 0x4A65693 is 5 bytes before a block of size 50 alloc'd
==15115==    at 0x4005400: malloc (vg_replace_malloc.c:149)
==15115==    by 0x844B09C: __zend_malloc (zend_alloc.h:81)
==15115==    by 0x844ADC2: _zend_hash_add_or_update (zend_hash.c:247)
==15115==    by 0x84CE0E9: php_cgi_ini_activate_user_config (cgi_main.c:704)
==15115==    by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778)
==15115==    by 0x83DA5C1: sapi_activate (SAPI.c:392)
==15115==    by 0x83D08AC: php_request_startup (main.c:1342)
==15115==    by 0x84D04C1: main (cgi_main.c:1961)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-18 17:13 UTC] pajoye@php.net

Patch proposal: http://pastebin.com/m55fa609d

It also slightly changes the behaviors:
- if the current script is not inside the DOCUMENT_ROOT, the path is not processed
- it also checks if the path is an absolute path and get the real path if not (to test against the doc_root)

Stas, Jani: can you test it please before I commit it?

[2009-05-26 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2009-06-16 23:44 UTC] stas@php.net

The patch needs one change: if the path is inside docroot, it should check up to docroot, otherwise it should take current dir only (now it looks like it ignores it completely).

[2009-06-17 21:16 UTC] pajoye@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Nov 01 04:00:02 2025 UTC