PHP :: Bug #21958 :: fopen fails in safe mode

Bug #21958

fopen fails in safe mode

Submitted:

2003-01-30 00:01 UTC

Modified:

2003-08-07 10:36 UTC

Votes:	6
Avg. Score:	5.0 ± 0.0
Reproduced:	5 of 5 (100.0%)
Same Version:	2 (40.0%)
Same OS:	2 (40.0%)

From:

ct at swin dot edu dot au

Assigned:

iliaa (profile)

Status:

Closed

Package:

Filesystem function related

PHP Version:

4.3.3-dev

OS:

Tru64 UNIX 5.1A

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ct at swin dot edu dot au
New email:
PHP Version:		OS:

New Comment:

[2003-01-30 00:01 UTC] ct at swin dot edu dot au

PHP 4.2.3 configured in safe mode cannot create new files.

$fname = "/web/ct/tmp/file.txt";
$filePtr = fopen($fname,"w");


Warning: Unable to access /web/ct/tmp/file.txt in /web/ct/test4.php on line 4

Warning: fopen("/web/ct/tmp/file.txt", "w") - No such file or directory in /web/ct/test4.php on line 4

The permissions on the directory are:

drwxrwxrwx   2 root     system      8192 Jan 30 16:42 tmp

If the file /web/ct/tmp/file.txt already exists, PHP can open it for writing.


PHP 4.1.2 can successfully create files using the same configuration.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-01-30 09:17 UTC] iliaa@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

[2003-01-30 18:49 UTC] ct at swin dot edu dot au

With php4-STABLE-latest (200301302230) it returns the following error:

Warning: fopen() [function.fopen]: Unable to access /web/ct/tmp/file.txt in /web/ct/test4.php on line 4

Warning: fopen(/web/ct/tmp/file.txt) [function.fopen]: failed to create stream: No such file or directory in /web/ct/test4.php on line 4

[2003-02-19 18:57 UTC] sniper@php.net

What are the permissions for /web and /web/ct directories?

[2003-02-19 19:03 UTC] ct at swin dot edu dot au

# ls -ld /web /web/ct
drwxr-xr-x 110 root     system      8192 Nov 28 15:41 /web
drwxr-xr-x   7 ct       system      8192 Jan 31 15:22 /web/ct

[2003-02-19 21:41 UTC] sniper@php.net

I can not reproduce this with latest CVS snapshot.
What SAPI are you using? CGI..? Apache module?

[2003-02-19 22:58 UTC] ct at swin dot edu dot au

Apache module

[2003-02-20 00:07 UTC] ct at swin dot edu dot au

I have noticied that if I replace the safe_mode.c file with the one from PHP 4.1.2 it works properly.

[2003-02-23 05:22 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip


There have been couple of fixes lately which might fix this as side-effect, please give  it a go.

[2003-02-23 23:43 UTC] ct at swin dot edu dot au

The build from php4-STABLE-200302231230 still produces the same error.

[2003-02-26 01:06 UTC] ct at swin dot edu dot au

I have noticed that in safe_mode.c after the line that has VCWD_REALPATH(filename, path); (Line 84 from CVS version) the value of path is always NULL in Tru64 UNIX.  

The same code testing on Linux using CLI SAPI, path = correct value.

[2003-02-26 20:44 UTC] magnus@php.net

Using Tru64 UNIX 5.1.
Both 4.3.2-dev and 5.0.0-dev.

Tested with safe_mode on and trying to create a file in /tmp

[2003-04-01 11:29 UTC] ohp at pyrenet dot fr

I have the same problem on 4.2.3 and 4.3.1.
I noticed that making touch before fopen("xxx","w") creates the file so fopen succeeds.

[2003-04-23 13:57 UTC] patrick_cossette1 at uqtr dot ca

With AIX 4.3.3 and PHP 4.3.1.

With safe_mode on , I cannot create a file with neither touch nor fopen nor mkdir. (With safe_mode off, the creation works).

Apache is running under user "web" and group "web".
I have the directory /web/hee_dev whose owner is web.web with permissions rwxr-s---

I have the script testing.php located in that directory:

   <?
     $fp=fopen("filetocreate","w+");
   ?>

If the file "filetocreate" does not already exist, I get the following error while executing the script:
 
           Warning: Unable to access filetocreate  
           in /web/hee_dev/testing.php on line 2

           Warning: fopen("filetocreate", "w+") - No such 
           file or directory in /web/hee_dev/testing.php on 
           line 2

If the file already exists, I can open it without any problem.


I had read somewhere in the bug database that this should be solved by now, but with 4.3.1, it still produces this error.

[2003-05-26 09:34 UTC] ohp at pyrenet dot fr

The bug is still there with php-4.3.2RC4 as an apache 1.3.27 module.
This is on Unixware 7.

with safe_mode=Off, file creation succeeds,
with safe_mode=On, file creattion fails with "failed to open stream: no such file or directory ..."

I've tried setting the dir 777, make it owned by apache UID.. Nothing worked.

A truss of the apache server showed that the last syscall before failed was a pathconf(filename,...) returning ENOENT
File didn't exist so it's normal.

Please help

[2003-05-27 06:29 UTC] ohp at pyrenet dot fr

I have made tons of research on this since yesterday.
It appears that realpath (at least on UW 713) set path to NULLL, returns NULL with errno=2 in case of a non existing file on line 86 in safe_mode.c then function proceeds to line  116 with a NULL path, all functions fail and the file cannot be created.

Hope this help to create a patch (I'm trying to but don't know the code enough too) Please someone help.

ohp@pyrenet.fr

[2003-05-28 10:47 UTC] ohp at pyrenet dot fr

after 2 strggling, I came with the following path on 
safe_mode.c against 4.3.2RC4.
Not sure it's the right thing to do.
could someone have a look?
Regards

*** main/safe_mode.c.orig	lun mrs 17 14:50:23 2003
--- main/safe_mode.c	mar mai 27 15:06:30 2003
***************
*** 66,71 ****
--- 66,72 ----
  			mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS;
  		} else {
  			mode = CHECKUID_CHECK_FILE_AND_DIR;
+ 			flags=1;
  		}
  	}
  
***************
*** 81,86 ****
--- 82,88 ----
  	 * If that fails, passthrough and check 
directory...
  	 */
  	if (mode != CHECKUID_ALLOW_ONLY_DIR) {
+ 		strcpy(path,filename);
  		VCWD_REALPATH(filename, path);
  		ret = VCWD_STAT(path, &sb);
  		if (ret < 0) {

this works on Unixware 713

[2003-05-30 11:12 UTC] juha dot moisio at tietonauha dot fi

I tested that patch.
Works just fine in AIX 4.3.1 php 4.3.2

-Juha-

[2003-06-01 23:54 UTC] ct at swin dot edu dot au

Patch makes no difference with Tru64 UNIX 5.1A and PHP 4.3.2.

[2003-06-04 06:24 UTC] ohp at pyrenet dot fr

Hi, Glad to see my patch works on AIX, not so glad it fails with TRU64 UNIX

Did you test with the same script/environment you wrote on Jan 30?

Did you try to log the value of path after each VCWD_REALPATH.

AFAICS, the whole bug comes from realpath doing nasty things when path is NULL hence the strcopy I added.

Feel free to email directly. I'm not a PHP developper (I'd love the help of one on this one) but I want to get rid of this bug.

Regards
Olivier

[2003-06-04 18:17 UTC] ct at swin dot edu dot au

I suspect some implementations of realpath will not touch the resolved path if the filename does not exist.  This would explain why your patch works on some systems.  On Tru64 realpath will set the resolved path to NULL if the file does not exist.  As such, setting path in the strcpy before VCWD_REALPATH doesn't fix the problem, at least on Tru64.

PHP is making some assumptions about the behaviour of realpath, but there are differences in the way vendors handle the case of a non existent file.

I have got around this problem by using the realpath function from the BSD source.

[2003-06-19 10:22 UTC] ohp at pyrenet dot fr

Would you please send the patch (on the list or to me) I don't have the realpath source handy and would love to give your patch a try.

Regards

[2003-08-07 10:36 UTC] iliaa@php.net

This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

[2004-05-11 03:47 UTC] henrypijames at mailcity dot com

It looks like this bug isn't closed at all, at least not in PHP 4.3.6 on HP-UX B.10.20:

<?php
$fname = "/home/xyz/public_html/test/file.txt";
$filePtr = fopen($fname, "w");
?>

drwxrwxrwx   2 xyz        xyz         80 May 11 03:00 test

Warning: fopen(): SAFE MODE Restriction in effect. The script running as uid 600 is not allowed to write to directory /home/xyz/public_html/test owned by uid 1234 in /home/xyz/public_html/test.php on line 3

Warning: fopen(/home/xyz/public_html/test/file.txt): failed to open stream: No such file or directory in /home/xyz/public_html/test.php on line 3

[2004-05-28 21:27 UTC] rainy at partlycloudy dot com

It is still broken in 4.3.6.

Additionally, php_realpath_hack is needed on Solaris 8 as well.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 03:01:28 2024 UTC