php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50293 Several openssl functions ignore the VCWD
Submitted: 2009-11-25 15:05 UTC Modified: 2022-06-10 08:46 UTC
Votes:13
Avg. Score:3.9 ± 0.9
Reproduced:5 of 5 (100.0%)
Same Version:5 (100.0%)
Same OS:3 (60.0%)
From: gufophp at gmail dot com Assigned: bukka (profile)
Status: Closed Package: OpenSSL related
PHP Version: 7.4 OS: *
Private report: No CVE-ID: None
 [2009-11-25 15:05 UTC] gufophp at gmail dot com
Description:
------------
incorrect path save export file

Reproduce code:
---------------
<pre>
kpe1.php
<?
set_time_limit(0);
$ssl_configargs = array("digest_alg" => "OPENSSL_ALGO_SHA1",
"private_key_bits" => 384,"encrypt_key" => false,"basicConstraints" => "CA:true","keyUsage" => "cRLSign, keyCertSign",
"nsCertType" => "sslCA, emailCA");
$dn = array("countryName" => 'IT',"stateOrProvinceName" => 'Italy',
"localityName" => 'city',"organizationName" => 'org',
"organizationalUnitName" => 'unit',"commonName" => 'name' ,"emailAddress" => 'mail' );
$numberofdays = '365';
$pkey = openssl_pkey_new( $ssl_configargs );
$csr = openssl_csr_new( $dn, $privkey, $ssl_configargs );
$sscert = openssl_csr_sign( $csr, null, $privkey, $numberofdays );
openssl_csr_export( $csr, $csrout );
openssl_x509_export( $sscert, $certout );
openssl_x509_export_to_file ($sscert ,'crt_509_sk.crt',false);
openssl_pkey_export( $privkey, $pkeyout, $configargs['licence_pwd' ]);
openssl_pkey_export_to_file($privkey,'crt_509_pk.pem');

Expected result:
----------------
[dir]
kpe1.php
crt_509_sk.crt
crt_509_pk.pem

Actual result:
--------------
C:\Programmi\Apache Software Foundation\Apache2.2
.....
crt_509_sk.crt
crt_509_pk.pem
.....


Patches

bug-50293 (last revision 2010-08-12 01:31 UTC by kalle@php.net)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-25 18:28 UTC] pajoye@php.net
I think the case is clear, it looks like we do not use VCWD or php stream's api and it fails to get the actual CWD.

I will take a look at it asap.
 [2010-08-12 03:31 UTC] kalle@php.net
The following patch has been added/updated:

Patch Name: bug-50293
Revision:   1281576663
URL:        http://bugs.php.net/patch-display.php?bug=50293&patch=bug-50293&revision=1281576663
 [2010-08-12 03:31 UTC] kalle@php.net
I added a roughly untested patch for this, as I have some issues getting openssl to work in my build env, so the patch is more a theory of how it could be fixed.
 [2017-10-24 07:32 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: pajoye +Assigned To:
 [2021-08-13 11:54 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-08-13 11:54 UTC] cmb@php.net
I think full stream support is out of scope for any of the stable
versions (and there is already request #50718 for that), but ZTS
builds not regarding the CWD should be fixed.
 [2021-08-17 13:21 UTC] cmb@php.net
-Summary: openssl_****_export_to_file +Summary: Several openssl functions ignore the VCWD -Operating System: win32 only - apache +Operating System: * -PHP Version: 5.2.11 +PHP Version: 7.4
 [2021-08-31 11:58 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #50293: Several openssl functions ignore the VCWD
On GitHub:  https://github.com/php/php-src/pull/7438
Patch:      https://github.com/php/php-src/pull/7438.patch
 [2021-09-21 15:39 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
 [2022-06-09 18:57 UTC] git@php.net
Automatic comment on behalf of bukka
Revision: https://github.com/php/php-src/commit/b765d4cd411ffb8cdb4b0879017dd85c1ca5d440
Log: Fix bug #50293 and #81713: file path checking in OpenSSL functions
 [2022-06-09 18:57 UTC] git@php.net
-Status: Verified +Status: Closed
 [2022-06-10 08:46 UTC] bukka@php.net
-Assigned To: +Assigned To: bukka
 [2022-06-10 08:46 UTC] bukka@php.net
Just for the reference it will land in 8.0.21 and 8.1.8
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 12:01:31 2024 UTC