php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #16685 safe_mode_include_dir check is not correct
Submitted: 2002-04-18 12:32 UTC Modified: 2003-01-18 03:35 UTC
From: byg at cf1 dot ru Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4.2.0 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2002-04-18 12:32 UTC] byg at cf1 dot ru 
I found that safe_mode_include_dir check is not correct.
Here's why:
resolved_name (the path in question) and ptr (a next directory from the safe_mode_include_dir list) are compared so:
if (strncmp(ptr, resolved_name, strlen(ptr) ==0 )
let ptr="/var/www/script" and resolved_name="/var/www/scripts"
obviously, they will match though it's wrong.
It is necessary to add an extra check for trailing char
(valid one is either a slash or \0)
In fact, checking lengthes of those may save a bit CPU time
(especially with the long list).
Here's suggested patch (it also is available at
http://www.cf1.ru/~byg/patch/php/safe_mode_include_dir.patch
ftp://ftp.cf1.ru/pub/patches/php/safe_mode_include_dir.patch
):


--- main/fopen_wrappers.c.orig  Thu Apr 18 21:40:57 2002
+++ main/fopen_wrappers.c       Thu Apr 18 23:02:55 2002
@@ -233,6 +233,7 @@
                char *ptr;
                char *end;
                char resolved_name[MAXPATHLEN];
+               int  len;

                /* Resolve the real path into resolved_name */
                if (expand_filepath(path, resolved_name TSRMLS_CC) == NULL)
@@ -250,15 +251,20 @@
                        }

                        /* Check the path */
+                        len = strlen(ptr);
+                       if (strlen(resolved_name) >= len) {
 #ifdef PHP_WIN32
-                       if (strncasecmp(ptr, resolved_name, strlen(ptr)) == 0)
+                           if (strncasecmp(ptr, resolved_name, len) == 0)
 #else
-                       if (strncmp(ptr, resolved_name, strlen(ptr)) == 0)
+                           if (strncmp(ptr, resolved_name, len) == 0)
 #endif
-                       {
-                               /* File is in the right directory */
-                               efree(pathbuf);
-                               return 0;
+                           {
+                               if ((*(resolved_name + len) == DEFAULT_SLASH) || (*(resolved_name + len) == '\0')) {
+                                   /* File is in the right directory */
+                                   efree(pathbuf);
+                                   return 0;
+                               }
+                           }
                        }
 
                        ptr = end;

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-29 22:59 UTC] iliaa@php.net 
Unless you specify / at the end PHP will allow any path that will be begin with a specified string. Meaning that if /a/b/c is specified then /a/b/cde will be allowed. A note about this exists for nearly all directory limiting function, however it is absent from the docs on the safe_mode_include_dir option. Consquently, I am making this report a documentation issue.
 [2003-01-18 03:35 UTC] philip@php.net 
This has now been documented:
http://cvs.php.net/cvs.php/phpdoc/en/features/safe-mode.xml

Thanks for the report :)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Aug 17 05:01:29 2024 UTC