php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #33690 Setting save_path in httpd.conf under safemode gives SEGV
Submitted: 2005-07-14 04:20 UTC Modified: 2005-07-26 00:40 UTC
From: david at madole dot net Assigned: rasmus
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5CVS, 4CVS (2005-07-14) OS: *
Private report: No CVE-ID:
 [2005-07-14 04:20 UTC] david at madole dot net
Description:
------------
./configure \
  --prefix=/usr/local/opt/php4-STABLE-200507140043 \
  --with-apxs2=/usr/local/opt/httpd-2.0.54/bin/apxs \
  --with-config-file-path=/etc \
  --enable-debug

diff php.ini-dist /etc/php.ini
158c158
< safe_mode = Off
---
> safe_mode = On

<Directory /home/user/www>
  PHP_Admin_Value open_basedir /home/user/
  PHP_Admin_Value session.save_path /home/user/tmp/
</Directory>

On serving any page from /home/user/www, even plain HTML files not parsed by PHP, a SEGV is encountered in the Apache child process.

The error occurs in sapi/apache2handler/sapi_apache2.c line 173, where ctx is dereferenced while containing NULL (see very end of backtract below):

        ctx->finfo.st_uid = ctx->r->finfo.user;

Removing the newly introduced OnUpdateSaveDir check in ext/session/session.c eliminates the problem.


Reproduce code:
---------------
<html><body>Test</body></html>


Expected result:
----------------
Display "Test" in browser.

Actual result:
--------------
#0  0x2851ba51 in php_apache_sapi_get_stat ()
    at /usr/local/src/php4-STABLE-200507140043/sapi/apache2handler/sapi_apache2.c:173
#1  0x284d9122 in sapi_get_stat ()
    at /usr/local/src/php4-STABLE-200507140043/main/SAPI.c:848
#2  0x28487317 in php_statpage ()
    at /usr/local/src/php4-STABLE-200507140043/ext/standard/pageinfo.c:73
#3  0x28487383 in php_getuid ()
    at /usr/local/src/php4-STABLE-200507140043/ext/standard/pageinfo.c:99
#4  0x284d5b99 in php_checkuid_ex (
    filename=0xbfbfdff0 "/home/madole.net/tmp/", fopen_mode=0x0, mode=3,
    flags=0) at /usr/local/src/php4-STABLE-200507140043/main/safe_mode.c:150
#5  0x284d5cda in php_checkuid (filename=0x81dc6a4 "/home/madole.net/tmp/",
    fopen_mode=0x0, mode=3)
    at /usr/local/src/php4-STABLE-200507140043/main/safe_mode.c:191
#6  0x28443c64 in OnUpdateSaveDir (entry=0x81cbf00,
    new_value=0x81dc6a4 "/home/madole.net/tmp/", new_value_length=21,
    mh_arg1=0x0, mh_arg2=0x28577900, mh_arg3=0x0, stage=16)
    at /usr/local/src/php4-STABLE-200507140043/ext/session/session.c:123
#7  0x285101be in zend_alter_ini_entry (name=0x81106a0 "session.save_path",
    name_length=18, new_value=0x8123698 "/home/madole.net/tmp/",
    new_value_length=21, modify_type=4, stage=16)
    at /usr/local/src/php4-STABLE-200507140043/Zend/zend_ini.c:232
#8  0x2851cc48 in apply_config (dummy=0x8123598)
    at /usr/local/src/php4-STABLE-200507140043/sapi/apache2handler/apache_config.c:167
#9  0x2851c207 in php_handler (r=0x81f2050)
    at /usr/local/src/php4-STABLE-200507140043/sapi/apache2handler/sapi_apache2.c:457
#10 0x0807a45a in ap_run_handler (r=0x81f2050) at config.c:152
#11 0x0807a825 in ap_invoke_handler (r=0x81f2050) at config.c:364
#12 0x08069a35 in ap_process_request (r=0x81f2050) at http_request.c:249
#13 0x08065411 in ap_process_http_connection (c=0x81ec128) at http_core.c:251
#14 0x08083c72 in ap_run_process_connection (c=0x81ec128) at connection.c:43
#15 0x08078c71 in child_main (child_num_arg=0) at prefork.c:610
#16 0x08078e65 in make_child (s=0x80b9760, slot=0) at prefork.c:650
#17 0x08078f2c in startup_children (number_to_start=5) at prefork.c:722
#18 0x080795af in ap_mpm_run (_pconf=0xbfbfec40, plog=0x80ed018, s=0xbfbfec48)
    at prefork.c:941
#19 0x0807e74b in main (argc=6, argv=0xbfbfed38) at main.c:618
(gdb) print ctx
$1 = (php_struct *) 0x0


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-14 08:53 UTC] sniper@php.net
Apperently the fix for #33072 causes this.


 [2005-07-25 16:11 UTC] rasmus@php.net
Could someone please try the patch I posted here for this one?

http://news.php.net/php.internals/17261
 [2005-07-25 19:32 UTC] david at madole dot net
Yes, that patch does resolve the problem reported here.

Thank you!
 [2005-07-26 00:40 UTC] rasmus@php.net
Fix committed to both PHP 4.4 and 5.1 trees
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 20:02:01 2014 UTC