php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26653 open_basedir bug
Submitted: 2003-12-17 12:12 UTC Modified: 2005-01-31 23:24 UTC
From: eddyleo777 at hotmail dot com Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4CVS, 5CVS OS: Win32
Private report: No CVE-ID:
 [2003-12-17 12:12 UTC] eddyleo777 at hotmail dot com
Description:
------------
test.php
<?php
fopen("c:/apache/user_security/passwd", "r");
?>

php.ini
open_basedir = "c:\apache\user\" ;work
open_basedir = "c:/apache/user" ;it does not work
open_basedir = "c:/apache/user/" ;it does not work


Reproduce code:
---------------
php4-200312171430/main/fopen_wrappers.c on line 133

/* Handler for basedirs that end with a / */	
if (basedir[strlen(basedir)-1] == PHP_DIR_SEPARATOR) {
  resolved_basedir_len = strlen(resolved_basedir);
  resolved_basedir[resolved_basedir_len] = '/';
  resolved_basedir[++resolved_basedir_len] = '\0';
} else {
  resolved_basedir_len = strlen(resolved_basedir);	
}

if (path[strlen(path)-1] == PHP_DIR_SEPARATOR) {
  resolved_name_len = strlen(resolved_name);
  resolved_name[resolved_name_len] = '/';
  resolved_name[++resolved_name_len] = '\0';
}


Expected result:
----------------
the introduced solution not work.
interpret this possible solution please.

php4-200312171430/main/fopen_wrappers.c on line 133

/* Handler for basedirs that end with a / */	
if (???is_dir???(resolved_basedir)) {
  resolved_basedir_len = strlen(resolved_basedir);
  resolved_basedir[resolved_basedir_len] =PHP_DIR_SEPARATOR;
  resolved_basedir[++resolved_basedir_len] = '\0';
} else {
  resolved_basedir_len = strlen(resolved_basedir);
}

if (???is_dir???(resolved_name)) {
  resolved_name_len = strlen(resolved_name);
  resolved_name[resolved_name_len] = PHP_DIR_SEPARATOR;
  resolved_name[++resolved_name_len] = '\0';
}



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-09 17:58 UTC] scottmacvicar at ntlworld dot com
When the value in php.ini has no trailing slash or a slash which differs from the value of PHP_DIR_SEPARATOR the condition on line 135 against the path fails, causing the function not to add the trailing slash to the resolved_basedir value.

I also noticed that if the condition was to work it would only append / to the resolved_basedir / resolved_name when it should in fact append PHP_DIR_SEPARATOR.

Patch
---
diff -u fopen_wrappers.c fopen_wrappers.c.patched
--- fopen_wrappers.c    2004-02-09 22:47:35.000000000 +0000
+++ fopen_wrappers.c.patched    2004-02-09 22:49:14.000000000 +0000
@@ -132,15 +132,15 @@
        if ((expand_filepath(path, resolved_name TSRMLS_CC) != NULL) && (expand_filepath(local_open_basedir, resolved_basedir TSRMLS_CC) != NULL)) {
                /* Handler for basedirs that end with a / */
                resolved_basedir_len = strlen(resolved_basedir);
-               if (basedir[strlen(basedir)-1] == PHP_DIR_SEPARATOR && resolved_basedir[resolved_basedir_len -1] != PHP_DIR_SEPARATOR) {
-                       resolved_basedir[resolved_basedir_len] = '/';
+               if (resolved_basedir[resolved_basedir_len -1] != PHP_DIR_SEPARATOR) {
+                       resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR;
                        resolved_basedir[++resolved_basedir_len] = '\0';
                }
 
                if (path[strlen(path)-1] == PHP_DIR_SEPARATOR) {
                        resolved_name_len = strlen(resolved_name);
                        if (resolved_name[resolved_name_len - 1] != PHP_DIR_SEPARATOR) {
-                               resolved_name[resolved_name_len] = '/';
+                               resolved_name[resolved_name_len] = PHP_DIR_SEPARATOR;
                                resolved_name[++resolved_name_len] = '\0';
                        }
                }
 [2004-02-10 11:03 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 13:02:15 2014 UTC