php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76894 imageftbbox - listing files outside of openbase_dir
Submitted: 2018-09-17 04:04 UTC Modified: 2021-08-18 15:33 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: fernando at null-life dot com Assigned:
Status: Open Package: GD related
PHP Version: 7.2.10 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2018-09-17 04:04 UTC] fernando at null-life dot com 
Description:
------------
When specifying a file that is outside of the openbasedir path, imageftbbox emits two warnings when the file used as a font exists, and only one when it doesn't. This allows to identify existing paths/files. I'm testing on Windows only.

For example: 

imageftbbox(10, 0, "C:\\windows", 'PHP');

Warning: imageftbbox(): open_basedir restriction in effect. File(c:\windows) is not within the allowed path(s): (C:\tools\phuzzer) in C:\tools\phuzzer\imageft.php on line 15

Warning: imageftbbox(): Invalid font filename in C:\tools\phuzzer\imageft.php on line 15

Test script:
---------------
php.exe -n -dopen_basedir=C:\tools\phuzzer -dextension=ext\php_gd2.dll imageft.php

<?php


function myErrorHandler($errno, $errstr, $errfile, $errline) {
  global $errorsgenerated;  
  $errorsgenerated = $errorsgenerated + 1;
  return true;
}

set_error_handler('myErrorHandler');

function file_exists_openbasedir($path) {
	global $errorsgenerated;
	$errorsgenerated = 0;
	imageftbbox(10, 0, $path, 'PHP');
	return $errorsgenerated > 1;
}

echo "c:\\anythingelse ".(file_exists_openbasedir("c:\\anythingelse") ? "exists" : "doesnt exist").PHP_EOL;
echo "c:\\windows ".(file_exists_openbasedir("c:\\windows")?  "exists" : "doesnt exist").PHP_EOL;

Expected result:
----------------
Same behavior regardless the file exists or no.

Actual result:
--------------
c:\anythingelse doesnt exist
c:\windows exists

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-09-17 15:14 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2018-09-17 15:14 UTC] cmb@php.net 
According to our security classification[1] this is not a
security issue, since it:

| requires the use of settings not recommended for production -
| ex. error reporting to output

It seems strange that ZTS versions do not issue the open_basedir
restriction warning for non-existant files, but since the other
warning is the result of a failing open_basedir check, that's a
minor issue.

[1] <https://wiki.php.net/security>
 [2018-09-17 17:02 UTC] fernando at null-life dot com 
Hi cmb, 

I think the argument regarding settings not recommended for production is not valid here, as you can see, even with display_errors=Off the code is still able to detect existing files/dirs out of the openbasedir path. 

If you don't want to clasify it as a security issue for any other reason, that's OK for me.

D:\FMS\fms\php7210ts>php.exe -n -dopen_basedir=d:\fms -ddisplay_errors=Off -dextension=ext\php_gd2.dll x.php
c:\anythingelse doesnt exist
c:\windows exists

As you mention, it only happens with the ZTS version, the NTS doesn't show this behaviour. Thanks"
 [2021-08-18 15:33 UTC] cmb@php.net 
> If you don't want to clasify it as a security issue for any
> other reason, that's OK for me.

Maybe moot after this long time, but it has been decided to
classify any open_basedir related issue as not a security
issue[1].

Anyhow, this is related to bug #75656.

[1] <https://wiki.php.net/security>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 18:01:29 2024 UTC