|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2007-08-31 11:15 UTC] php at stock-consulting dot com
Description:
------------
Situation: the local machine, which executes the PHP script via the command line, sits behind a NAT firefall and needs to retrieve directory listings and files from an FTP server sitting somewhere on the Internet. Passive FTP is required to traverse the firewall. The local machine has the IP address 10.0.0.1 (subnet configured as Class C). The external (WAN) IP of the router/firewall is 80.x.x.x (address partially concealed to protect the, erm, innocent).
Now the problem: the script correctly connects to the FTP server and begins to retrieve directory listings (recursively) and files. At some RANDOM point, the following warning appears:
Warning: ftp_chdir(): PORT command only accepts client IP address (80.x.x.x
!=10.0.0.1). in my_script.php on line 40
This warning then appears both at all further attempts to retrieve directory listings and files. The transfers are not successful.
Note that directory and file retrieval works perfectly UNTIL the warning occurs for the first time, at some random time. When the script is restarted, it will again work for some listings and files, until, at some different point, the warning will appear again.
Reproduce code:
---------------
// Short version, stripped from anything which appeared not so useful for this bug report
function remote_scan($path) {
global $ftp;
ftp_chdir($ftp, $path);
$raw_entries = ftp_rawlist($ftp, $path);
foreach ($raw_entries AS $line) {
$entry = preg_split('@\s+@', $line, 9);
if ($entry[4] == 0) {
remote_scan($path . $entry[8] . '/');
} else {
ftp_get($ftp, 'x:/local_path' . $path . $entry[8], $path . $entry[8], FTP_BINARY);
}
}
}
$ftp = ftp_connect('ftp.url', 47624); // server uses non-standard port
$login_result = ftp_login($ftp, 'user', 'password');
ftp_pasv($ftp, true);
remote_scan('/');
ftp_close($ftp);
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri Apr 19 17:01:30 2024 UTC |
Further thoughts. It appears to me that the message "PORT command only accepts..." originates from the FTP server. "PORT command"? What "PORT command"? I thought I was using PASV? Exactly. I can confim that I use ftp_pasv($ftp, true) once, and that I never turn passive mode off. So apparently the FTP functions somehow seem to "forget" (at some random point) that they should use PASV mode. Always suspicious as I am, this smells like something like buffer overflow to me. Let's have a look at ftp.h: typedef struct ftpbuf { php_socket_t fd; /* control connection */ php_sockaddr_storage localaddr; /* local address */ int resp; /* last response code */ char inbuf[FTP_BUFSIZE]; /* last response text */ char *extra; /* extra characters */ int extralen; /* number of extra chars */ char outbuf[FTP_BUFSIZE]; /* command output buffer */ char *pwd; /* cached pwd */ char *syst; /* cached system type */ ftptype_t type; /* current transfer type */ int pasv; /* 0=off; 1=pasv; 2=ready */ <snip> Hm, candiates might be inbuf and outbuf. However, a look at the code pieces which might be primary candidates for a buffer overflow revealed nothing suspicious to me. However, I stumbled across a piece a code which looked kinda fishy to me, beginning at line 1140 in ftp.c: /* shift the extra to the front */ size = FTP_BUFSIZE; rcvd = 0; if (ftp->extra) { memmove(ftp->inbuf, ftp->extra, ftp->extralen); rcvd = ftp->extralen; } ftp->extra, together with ftp->textralen, appear to be essentiall unbounded. Yuk! Now, I don't see any place where ftp->extra or ftp->extralen gets set. I should have a look at the initilization code, to find out if it gets at least initialized correctly. As soon as time permits - currently I have no time and so I've to leave this scene of investivation :-( Best regards, Klaus