php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #26974 rename() doesn't check newname permissions in safe_mode
Submitted: 2004-01-20 06:37 UTC Modified: 2004-01-20 21:27 UTC
From: daveb at esat dot net Assigned: iliaa (profile)
Status: Closed Package: Filesystem function related
PHP Version: 4.3.4 OS: Linux
Private report: No CVE-ID: None
 [2004-01-20 06:37 UTC] daveb at esat dot net
Description:
------------
When running under apache2 with a perchild MPM & safe_mode turned on, it is possible to rename a file owned by a user into a directory that the user does not own but has write permissions too. This works, even when safe_mode is turned on.

A simple example is ...

daveb@bilbo:$ touch moo
daveb@bilbo:$ ls -la moo
-rw-r--r--    1 daveb    noc             0 Jan 20 11:31 moo


The php script is simply...

rename ("./moo", "/tmp/crap");


Once called, the file moves to /tmp, even though the directory is owned by root.

daveb@bilbo:$ ls -la /tmp/crap
-rw-r--r--    1 daveb    noc             0 Jan 20 11:31 crap



It would appear that in ext/standard/file., in the rename() function, no checking is done on new_name to see if the user has the correct UID to write into that destination directory.

Changing line 1890 to the following ...

if (PG(safe_mode) && (!php_checkuid(old_name, NULL, CHECKUID_CHECK_FILE_AND_DIR) || !php_checkuid(new_name, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {

adds checking for the destination as well and prevents users writing into directories, where although they have permission to write into, they do not own that directory and should not be writing too.

When running with that extra check, php now logs...

[client ::1] PHP Warning:  rename(): SAFE MODE Restriction in effect.  The script whose uid is 677 is not allowed to access /tmp owned by uid 0 in /usr/local/apache/iweb/rename.php on line 3


According to http://ie2.php.net/manual/en/features.safe-mode.functions.php,
rename() should "...Checks whether the directory in which you are about to operate has the same UID (owner) as the script that is being executed."...

Is the documentation out of sync with the code ? Or the other way around ?







Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-01-20 21:27 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 20:01:27 2024 UTC