|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2019-06-11 09:57 UTC] phith0n dot ph2f at gmail dot com
Description: ------------ I found that if write a new file/directory (the file shouldn't exist) into Linux root directory, the open_basedir is not worked, maybe the php_check_specific_open_basedir has a logic bug. After digging into the source code, I found an error in https://github.com/php/php-src/blob/master/main/fopen_wrappers.c#L189. It wishes to find the latest slash in path, but if the path is equal to "/sample", the latest slash is the root directory, the result of the resolved_name is a point to an empty string. The empty string is a substring of any other string, so open basedir checker returns true. The bug influences lots of functions, such as: - file_put_contents - mkdir - touch - fopen - ... Test script: --------------- root@s:/var/www/html# php -d open_basedir=/var/www/html/ -r "file_put_contents('/file_put_contents', 'data');" root@s:/var/www/html# ls -al /file_put_contents Expected result: ---------------- -rw-r--r-- 1 root root 4 Jun 11 12:42 /file_put_contents Actual result: -------------- Warning: file_put_contents(): open_basedir restriction in effect. File(/file_put_contents) is not within the allowed path(s): (/var/www/html/) in Command line code on line 1 Warning: file_put_contents(/file_put_contents): failed to open stream: Operation not permitted in Command line code on line 1 ls: cannot access '/file_put_contents': No such file or directory PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Dec 21 17:01:58 2024 UTC |
Hi @cmb. I still have this bug. I test it on the latest version of PHP 7.4 in docker: # root @ OrangeDeafening-VM in ~ [21:06:31] $ docker pull php:7.4 7.4: Pulling from library/php 54fec2fa59d0: Pull complete cc4504446071: Pull complete f8d55b89827d: Pull complete 6bf7f8bea876: Pull complete 9a178eabfa4a: Pull complete 99583d0b7ff2: Pull complete 79c3ed7f9118: Pull complete cc3f66def185: Pull complete 4f837fda4b52: Pull complete Digest: sha256:aa449b3b778a3549a89dde21b35261516ecabd84891081b72000a8f94a457f3c Status: Downloaded newer image for php:7.4 # root @ OrangeDeafening-VM in ~ [21:07:22] $ docker run -it --rm --name uu php:7.4 bash root@ead2e727ca67:/# cd /var/www/ root@ead2e727ca67:/var/www# ls html root@ead2e727ca67:/var/www# cd html/ root@ead2e727ca67:/var/www/html# ls root@ead2e727ca67:/var/www/html# php -d open_basedir=/var/www/html/ -r "file_put_contents('/file_put_contents', 'data');" root@ead2e727ca67:/var/www/html# ls -al /file_put_contents -rw-r--r-- 1 root root 4 May 6 13:08 /file_put_contents root@ead2e727ca67:/var/www/html# php -v PHP 7.4.5 (cli) (built: Apr 23 2020 16:39:51) ( NTS ) Copyright (c) The PHP Group Zend Engine v3.4.0, Copyright (c) Zend Technologies root@ead2e727ca67:/var/www/html# I also test it on Ubuntu 18.04, but the result is different. I am not sure if this bug only affects docker PHP or source-compiled PHP.