php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77085 Function glob() is not checked for open_basedir
Submitted: 2018-10-31 01:49 UTC Modified: 2021-08-02 16:08 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: pavtov90 at gmail dot com Assigned: cmb (profile)
Status: Duplicate Package: Filesystem function related
PHP Version: 7.2.11 OS: Windows/Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: pavtov90 at gmail dot com
New email:
PHP Version: OS:

 

 [2018-10-31 01:49 UTC] pavtov90 at gmail dot com 
Description:
------------
I've seen previous reports, but their status is fixed.

Wrapper on Windows glob:// is not checked for open_basedir. If I checked correctly, where it is possible to insert it, errors will be generated that can be used as True or False. But I decided to test it simply, without unnecessary functions


Test script:
---------------
php.ini:

open_basedir = C:/php/




<?php
var_dump(glob("C:/test/1*"));
?>

Expected result:
----------------
Warning: _____ open_basedir restriction in effect...

Actual result:
--------------
If true (a file or folder exists)
Result : bool(false)

If false(no file or folder exists)
Result : array(0){}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-31 02:23 UTC] pavtov90 at gmail dot com
-Operating System: Windows +Operating System: Windows/Linux
 [2018-10-31 02:23 UTC] pavtov90 at gmail dot com 
I am testing in Linux through ini_set('open_basedir','/path/'); And he gave me the same result
 [2018-10-31 02:24 UTC] pavtov90 at gmail dot com
-Summary: Wrapper on Windows glob:// is not checked for open_basedir +Summary: Wrapper on glob:// is not checked for open_basedir
 [2018-10-31 02:24 UTC] pavtov90 at gmail dot com 
.
 [2018-10-31 02:25 UTC] pavtov90 at gmail dot com 
on linux - PHP Version 7.1.23
 [2018-10-31 07:59 UTC] pavtov90 at gmail dot com
-Summary: Wrapper on glob:// is not checked for open_basedir +Summary: Function glob() is not checked for open_basedir
 [2018-10-31 07:59 UTC] pavtov90 at gmail dot com 
/
 [2018-10-31 08:33 UTC] spam2 at rhsoft dot net 
would you stop your one char comments triggering in mails leading to whatever cared about the Bugreport filters it no?
 [2018-10-31 15:16 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: *General Issues +Package: Filesystem function related
 [2018-10-31 15:16 UTC] cmb@php.net 
The open_basedir check is done for each of the globbed files, and
suppresses warnings[1], likely to prevent multiple warnings.
However, it doesn't trigger a single open_basedir related warning,
if an open_basedir violation had been detected[2].

> If false(no file or folder exists)
> Result : array(0){}

This is a particular issue.  If no file is globbed, no individual
open_basedir check can be done (and possibly fail).  While there
is a open_basedir check on the pattern[3], it is skipped on
Windows, and I wonder whether it can be sufficient for all
possible glob patterns on other systems.

To avoid any open_basedir related differences, we could never
return an empty array (and never raise an open_basedir warning),
but that would be quite a BC break[4].

BTW: the `continue`[5] doesn't seem to make sense.  A `break`
should be more sensible.

[1] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L516>
[2] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L546-L547>
[3] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L504>
[4] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L478-L484>
[5] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L518>
 [2018-10-31 15:58 UTC] pavtov90 at gmail dot com 
Getting a bypass on open_basedir?
 [2021-08-02 16:08 UTC] cmb@php.net
-Status: Verified +Status: Duplicate -Assigned To: +Assigned To: cmb
 [2021-08-02 16:08 UTC] cmb@php.net 
Well, this is actually a duplicate of bug #65489.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC