php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #41655 open_basedir bypass via glob()
Submitted: 2007-06-11 17:14 UTC Modified: 2007-09-19 22:40 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: dr at peytz dot dk Assigned: iliaa
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.2.3 OS: Linux
Private report: No CVE-ID:
 [2007-06-11 17:14 UTC] dr at peytz dot dk
Description:
------------
file_exists() etc. does not allow checking the existence of files outside the directories specified in open_basedir.

This can be circumvented using glob(). glob() does check open_basedir, but its return type still reveals whether files exist outside open_basedir. The existence of a file can be checked using !is_array(glob($filename)).


Reproduce code:
---------------
var_dump(glob('/etc/hosts'));
var_dump(glob('/etc/does-not-exist'));


Expected result:
----------------
bool(false)
bool(false)

or

array(0) {
}
array(0) {
}


Actual result:
--------------
bool(false)
array(0) {
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-06-12 12:57 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2007-09-17 07:51 UTC] pajoye@php.net
The fix for this bug introduced a regression.

Using:

$a =glob("/home/pierre/cvs/php52/ext/*/tests/*");'

Where:

open_basedir = /home/pierre/cvs/php52

glob fails to access this path:

Warning: glob(): Unable to access /home/pierre/cvs/php52/ext/*/tests in Command line code on line 1




 [2007-09-18 19:08 UTC] iliaa@php.net
This is unavoidable since you don't want things like:

/home/pierre/cvs/php52/ext/*/tests/../../../../../*

to be let through.
 [2007-09-18 20:36 UTC] pajoye@php.net
Please, you can't break BC at this point. My example works before and must work now.

/home/pierre/cvs/php52/ext/*/tests/../../../../../*

has nothing to do with my example except that you add relative paths later. It is simply another case that should fail because of open_basedir.

My example introduces a huge BC break in symfony, to list only one widely used "app". Back to open, if you don't want to fix it yourself, please let me know, I will have to do it myself.
 [2007-09-19 22:40 UTC] iliaa@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 18:02:13 2014 UTC