php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #16685 safe_mode_include_dir check is not correct
Submitted: 2002-04-18 12:32 UTC Modified: 2003-01-18 03:35 UTC
From: byg at cf1 dot ru Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4.2.0 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: byg at cf1 dot ru
New email:
PHP Version: OS:

 

 [2002-04-18 12:32 UTC] byg at cf1 dot ru 
I found that safe_mode_include_dir check is not correct.
Here's why:
resolved_name (the path in question) and ptr (a next directory from the safe_mode_include_dir list) are compared so:
if (strncmp(ptr, resolved_name, strlen(ptr) ==0 )
let ptr="/var/www/script" and resolved_name="/var/www/scripts"
obviously, they will match though it's wrong.
It is necessary to add an extra check for trailing char
(valid one is either a slash or \0)
In fact, checking lengthes of those may save a bit CPU time
(especially with the long list).
Here's suggested patch (it also is available at
http://www.cf1.ru/~byg/patch/php/safe_mode_include_dir.patch
ftp://ftp.cf1.ru/pub/patches/php/safe_mode_include_dir.patch
):


--- main/fopen_wrappers.c.orig  Thu Apr 18 21:40:57 2002
+++ main/fopen_wrappers.c       Thu Apr 18 23:02:55 2002
@@ -233,6 +233,7 @@
                char *ptr;
                char *end;
                char resolved_name[MAXPATHLEN];
+               int  len;

                /* Resolve the real path into resolved_name */
                if (expand_filepath(path, resolved_name TSRMLS_CC) == NULL)
@@ -250,15 +251,20 @@
                        }

                        /* Check the path */
+                        len = strlen(ptr);
+                       if (strlen(resolved_name) >= len) {
 #ifdef PHP_WIN32
-                       if (strncasecmp(ptr, resolved_name, strlen(ptr)) == 0)
+                           if (strncasecmp(ptr, resolved_name, len) == 0)
 #else
-                       if (strncmp(ptr, resolved_name, strlen(ptr)) == 0)
+                           if (strncmp(ptr, resolved_name, len) == 0)
 #endif
-                       {
-                               /* File is in the right directory */
-                               efree(pathbuf);
-                               return 0;
+                           {
+                               if ((*(resolved_name + len) == DEFAULT_SLASH) || (*(resolved_name + len) == '\0')) {
+                                   /* File is in the right directory */
+                                   efree(pathbuf);
+                                   return 0;
+                               }
+                           }
                        }
 
                        ptr = end;

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-09-29 22:59 UTC] iliaa@php.net 
Unless you specify / at the end PHP will allow any path that will be begin with a specified string. Meaning that if /a/b/c is specified then /a/b/cde will be allowed. A note about this exists for nearly all directory limiting function, however it is absent from the docs on the safe_mode_include_dir option. Consquently, I am making this report a documentation issue.
 [2003-01-18 03:35 UTC] philip@php.net 
This has now been documented:
http://cvs.php.net/cvs.php/phpdoc/en/features/safe-mode.xml

Thanks for the report :)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Sep 11 16:01:28 2024 UTC