php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #73710 open_basedir bypass via glob wrapper
Submitted: 2016-12-10 14:39 UTC Modified: 2017-01-10 00:33 UTC
From: beched at ya dot ru Assigned: pollita (profile)
Status: Duplicate Package: Directory function related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: beched at ya dot ru
New email:
PHP Version: OS:

 

 [2016-12-10 14:39 UTC] beched at ya dot ru 
Description:
------------
This very old and well-known issue, which I decided to report almost 5 years after posting it on rdot forum.
The reason is here: http://lxr.php.net/xref/PHP-7.1/main/streams/glob_wrapper.c#208
Wrapper prefix "glob://" is cut off _after_ php_check_open_basedir is called, so that path is considered as relative, whereas it is absolute.
Obviously, if-block on line 216 should be put after line 221, where path is sliced.

Test script:
---------------
php -dopen_basedir=/home/beched -r 'foreach(new DirectoryIterator("glob:///*") as $f) echo "$f\n";'

or

php -dopen_basedir=/home/beched -r 'foreach(new GlobIterator("/*") as $f) echo "$f\n";'

Expected result:
----------------
PHP Fatal error:  Uncaught UnexpectedValueException: DirectoryIterator::__construct(): open_basedir restriction in effect. File(glob:///*) is not within the allowed path(s): (/home/beched) in Command line code:1
Stack trace:
#0 Command line code(1): DirectoryIterator->__construct('glob:///*')
#1 {main}
  thrown in Command line code on line 1


Actual result:
--------------
bin
boot
build
cdrom
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
logs
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-09 18:47 UTC] pollita@php.net
-Assigned To: +Assigned To: pollita
 [2017-01-10 00:17 UTC] pollita@php.net
-Status: Assigned +Status: Closed
 [2017-01-10 00:17 UTC] pollita@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

https://github.com/php/php-src/commit/7e49e8e7970b423968de7a53ea9a0796f4634276
 [2017-01-10 00:33 UTC] stas@php.net
-Status: Closed +Status: Duplicate
 [2017-01-10 00:33 UTC] stas@php.net 
Same as bug #73891.
 [2017-01-10 09:46 UTC] beched at ya dot ru 
Well, I guess, you created a relation recursion of reports.
Bug #73891 is duplicate of this (and was reported 1 month later, while this report was ignored), not vice versa.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 12:01:29 2024 UTC