|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2008-08-12 08:58 UTC] jani@php.net
[2008-08-12 18:05 UTC] tautolog at gmail dot com
[2008-08-13 19:05 UTC] jani@php.net
[2008-08-21 01:00 UTC] php-bugs at lists dot php dot net
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Jan 02 13:01:30 2025 UTC |
Description: ------------ This is not a security issue. It is just a functionality issue. open_basedir resolves links on link-specific operations, getting in the way of expected behavior. I don't think that the ability to read a link target (the target itself, not the file the target resolves to) within the basedir is a security concern because it is no different than the ability to read a config file which refers to a file outside of the basedir. In my thinking about this issue, I am viewing a symbolic link as just an alternate way to associate data with a file that just happens to have common support for treating the data as a target. See my reproduce code. Clearly, "/tmp/testlink" is in the allowed path of "home/ben/public_html:/tmp", but since it resolves to "/test", it is not being allowed. The following system calls (and therefore PHP functions) do not follow symlinks, according to symlink(7) on my BSD system: lchown() lstat() readlink() rename() rmdir() unlink() remove() (just an alias to unlink which is not in PHP) I tested all of them. All of them have this issue. rmdir() is an odd one. According to the manual, if you use it on a symbolic link, it should return ENOTDIR. $ mkdir /tmp/link_target $ ln -s /tmp/link_target /tmp/testlink $ rmdir /tmp/testlink rmdir: /tmp/testlink: Not a directory I have been using symbolic links to back a fast, simple, global, atomic, persistent hash, where the link filename is the key and the link value is the value. I have been running the application with open_basedir set to try to find compatibility problems with it, and found this issue. To work around it, I prefix all values with "./" now. However, there are other cases that cannot be worked around. For example, a php file manager would not even be able to tell whether the file were a link, let alone read its value or delete it. I have some interest in working on a patch. If you agree that it is desirable for open_basedir to not resolve links in some cases, I may be able to provide a patch. Just in case, I also tested the case where a link is outside open_basedir, but it resolves within open_basedir, and it blocked that, which I agree should be the expected behavior. Reproduce code: --------------- Add /tmp to open_basedir $ ln -s /test /tmp/testlink <?php echo is_link("/tmp/testlink") ; ?> Expected result: ---------------- 1 Actual result: -------------- Warning: is_link(): open_basedir restriction in effect. File(/tmp/testlink) is not within the allowed path(s): (/home/ben/public_html:/tmp) in /home/ben/public_html/cvs/app-modernbill-admin/include/lib-action/migrate/- on line 1