php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #13447 Security not blocking "unlink" delete functions
Submitted: 2001-09-26 04:48 UTC Modified: 2005-01-31 23:34 UTC
From: ajo at dpzone dot com Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4.0.6 OS: windows 2000
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ajo at dpzone dot com
New email:
PHP Version: OS:

 

 [2001-09-26 04:48 UTC] ajo at dpzone dot com
Running PHP in Apache using the MODULE configuration.

Apache/1.3.14 (Win32) PHP/4.0.6 mod_ssl/2.7.2 OpenSSL/0.9.6 running.

With the following: 

php_admin_flag safe_mode on
php_admin_value open_basedir c:/pr
php_admin_value doc_root c:/pr
php_admin_value user_dir c:/pr

IT SUCCESSFULLY blocks reads in directories other than c:/pr, but it DOES NOT block unlinks (file deletion) outside. So... My users cannot read other users files, however they can delete anything they want. Very strange. I DO NOT care about it checking "UIDs" as I do not create different Users for each USER... I want to be able to restrict access to a directory and call it good. 

<?php

echo "Peace!";
//unlink ("c:/test.txt");// UNLINK WORKS (This should fail)
$fp = fopen ("c:/test.txt", "r"); // FAILS SECURITY CHECK
echo "Dude10";
?>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-19 08:43 UTC] sander@php.net
Can you try adding a trailing slash (c:/pr/), and can you try 4.1.0???
 [2001-12-19 15:47 UTC] ajo at dpzone dot com
I tried both adding a trailing slash (c:/pr/), and  4.1.0

You are still able to delete a file at your choosing. It's also interesting that the following has NO EFFECT.

php_admin_value disable_functions unlink

I have been unable to disable the command also. 

I really want to get PHP setup, but I can't give global access to everyone.
 [2001-12-21 03:48 UTC] derick@php.net
This is fixed in CVS now.

Derick
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Jan 22 13:01:23 2020 UTC