php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #15018 opendir() not affected by safe_mode
Submitted: 2002-01-13 14:43 UTC Modified: 2002-12-08 22:42 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: daniel at lorch dot cc Assigned:
Status: Closed Package: Filesystem function related
PHP Version: 4.3.0-RC2 OS: Debian Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: daniel at lorch dot cc
New email:
PHP Version: OS:

 

 [2002-01-13 14:43 UTC] daniel at lorch dot cc 
I hope this is not just a configuration problem. We have safe_mode turned on and all file-system functions ARE limited by safe_mode - only readdir() doesn't seem to be. Would anyone mind to have a look at this? I have provided a sample script so it shouldn't take long to test it with your configuration:

----------------------------------
<?php

function list_dir($dir) {
  $h = @opendir($dir);

  if(!$h)
    return false;

  while($e = readdir($h)) {
    $p = $dir . '/' . $e;

    if($p != '.' && $p != '..')
      if(is_dir($p))
        echo '[DIR] ', $e, "<br>\n";
      else
        echo $e, "<br>\n";
  }

  closedir($h);
}

list_dir($QUERY_STRING);

?>
----------------------------------

just save this file as for example "dir.php" and run with

dir.php?/home/customer/

to list contents. I looked at the release announcement of 4.1.1 and there was no description of this bug:

  http://www.php.net/release_4_1_1.php

I also looked through the existing bug database and found nothing about it. Excuse me if it's a dupe or even a bogus.

Kind Regards,
  Daniel Lorch
  http://daniel.lorch.cc/

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-13 14:50 UTC] rasmus@php.net 
Like I mentioned on the mailing list, opendir() is the function that would be relevant here.  It is analogous to saying that mysql_query() should block you from accessing data in a database as opposed to this access restriction being placed on the mysql_connect() call.  If the perms on the dir are such that opendir() can read the directory under safe-mode, then readdir() is going to give you a list of the files in that dir.
Whether you can actually open and read those individual files themselves is of course another issue and any such access would be subject to a safe-mode check.  But an individual readdir() call does not have any safe-mode implications.
 [2002-01-13 15:31 UTC] daniel@php.net 
Sorry for the bogus.

Would you care to elaborate? I seem to be misunderstanding something. I just don't understand why - with the same configuration - chdir() cares about the UID, and opendir/readdir don't. chdir raises a "SAFE MODE Restriction in effect" whereas readdir() and opendir() let me browse through all directories where I have apache allowed to.

Thanks for your help.

Kind Regards,
  Daniel Lorch
 [2002-01-14 08:25 UTC] daniel@php.net 
On the same system (=same configuration) chdir() IS limited by safe_mode, opendir() are readdir() are NOT. 

This is either a bug, or if it isn't, I'll make it a feature request. Either way, it should be fixed, I think.

Kind Regards,
  Daniel Lorch
 [2002-01-14 08:55 UTC] biancardi at xware dot it 
i did not test it, but 'looking at the source code' (TM)
seems you need to use open_basedir to limit opendir()
directory range.
 [2002-01-14 10:27 UTC] tapken at engter dot de 
Danielsan is right... i have had a short look into the sourcecode (ext/standard/dir.c) and compared chdir-function with opendir-function.

In PHP_FUNCTION(chdir) i found this three-liner which seems to be a safe_mode-Check:
-------------------------
if (PG(safe_mode) && !php_checkuid((*arg)->value.str.val, NULL, CHECKUI$
        RETURN_FALSE;
}
-------------------------

PHP_FUNCTION(opendir) (or _php_do_opendir() to which this function refers) does not have such a check, just a short open_basedir-Check.
Oh, btw, it seems for me that chdir doesn't do a open_basedir-Check but i may be wrong.

cu, Roland

PS: All what i said is just 'imho' and 'afaik' because i do not have many expiences with C!
 [2002-12-04 12:04 UTC] philip@php.net 
With:

safe_mode = On
safe_mode_gid = On

The code below can browse any directory/file on the system.  This mentions openbase_dir but one (at least I) would think Safe Mode would have more power.  Safe mode is strict in some regards but super loose in others it seems.

In the very least please explain this a bit so it can be documented.  And btw, the following is in the _php_do_opendir code but what does it do?

dirp = php_stream_opendir(Z_STRVAL_PP(arg), ENFORCE_SAFE_MODE|REPORT_ERRORS, NULL);

Also AFICT this was suppose to be fixed:

http://marc.theaimsgroup.com/?l=php-dev&m=101518887024304
 [2002-12-08 22:42 UTC] iliaa@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 12:01:29 2024 UTC