PHP :: Bug #41655 :: open_basedir bypass via glob()

Bug #41655

open_basedir bypass via glob()

Submitted:

2007-06-11 17:14 UTC

Modified:

2007-09-19 22:40 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

dr at peytz dot dk

Assigned:

iliaa (profile)

Status:

Closed

Package:

Safe Mode/open_basedir

PHP Version:

5.2.3

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dr at peytz dot dk
New email:
PHP Version:		OS:

New Comment:

[2007-06-11 17:14 UTC] dr at peytz dot dk

Description:
------------
file_exists() etc. does not allow checking the existence of files outside the directories specified in open_basedir.

This can be circumvented using glob(). glob() does check open_basedir, but its return type still reveals whether files exist outside open_basedir. The existence of a file can be checked using !is_array(glob($filename)).


Reproduce code:
---------------
var_dump(glob('/etc/hosts'));
var_dump(glob('/etc/does-not-exist'));


Expected result:
----------------
bool(false)
bool(false)

or

array(0) {
}
array(0) {
}


Actual result:
--------------
bool(false)
array(0) {
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-06-12 12:57 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2007-09-17 07:51 UTC] pajoye@php.net

The fix for this bug introduced a regression.

Using:

$a =glob("/home/pierre/cvs/php52/ext/*/tests/*");'

Where:

open_basedir = /home/pierre/cvs/php52

glob fails to access this path:

Warning: glob(): Unable to access /home/pierre/cvs/php52/ext/*/tests in Command line code on line 1

[2007-09-18 19:08 UTC] iliaa@php.net

This is unavoidable since you don't want things like:

/home/pierre/cvs/php52/ext/*/tests/../../../../../*

to be let through.

[2007-09-18 20:36 UTC] pajoye@php.net

Please, you can't break BC at this point. My example works before and must work now.

/home/pierre/cvs/php52/ext/*/tests/../../../../../*

has nothing to do with my example except that you add relative paths later. It is simply another case that should fail because of open_basedir.

My example introduces a huge BC break in symfony, to list only one widely used "app". Back to open, if you don't want to fix it yourself, please let me know, I will have to do it myself.

[2007-09-19 22:40 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

[2015-10-17 14:14 UTC] bugs at tmarques dot com

Related To: Bug #69693

[2018-03-31 11:31 UTC] ocean_J01 at 163 dot com

Me too!

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Wed Dec 11 21:01:28 2024 UTC