php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #47318 UMR when trying to activate user config
Submitted: 2009-02-05 18:45 UTC Modified: 2009-06-17 21:16 UTC
From: stas at zend dot com Assigned: pajoye
Status: Closed Package: PHP options/info functions
PHP Version: 5.3CVS-2009-02-05 (CVS) OS: *
Private report: No CVE-ID:
 [2009-02-05 18:45 UTC] stas at zend dot com
Description:
------------
In function sapi_cgi_activate, php_cgi_ini_activate_user_config is called with path of the current script and third parameter 'start' which is document_root length - 1. Then, the following code is used:

		ptr = path + start; /* start is the point where doc_root ends! */
		while ((ptr = strchr(ptr, DEFAULT_SLASH)) != NULL) {


However, in general, path is not guaranteed to be residing in DOCUMENT_ROOT. While usually it is the case, there could be rewriting/aliasing scenarios that would call PHP on files outside document root. Or the user can invoke PHP binary by himself too (having DOCUMENT_ROOT set independently, but not intending to use it). 
In such cases, DOCUMENT_ROOT length has no relation to path length, which makes ptr point either to random place inside string if DOCUMENT_ROOT is short, or to random unallocated place in memory if it is longer than current path. 

Reproduce code:
---------------
One can easily reproduce it by setting DOCUMENT_ROOT to very long string and running PHP CGI under valgrind with parameter being some short script path. 

Actual result:
--------------
==15115== Invalid read of size 1
==15115==    at 0x400609A: index (mc_replace_strmem.c:164)
==15115==    by 0x84CE159: php_cgi_ini_activate_user_config (cgi_main.c:716)
==15115==    by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778)
==15115==    by 0x83DA5C1: sapi_activate (SAPI.c:392)
==15115==    by 0x83D08AC: php_request_startup (main.c:1342)
==15115==    by 0x84D04C1: main (cgi_main.c:1961)
==15115==  Address 0x4A65693 is 5 bytes before a block of size 50 alloc'd
==15115==    at 0x4005400: malloc (vg_replace_malloc.c:149)
==15115==    by 0x844B09C: __zend_malloc (zend_alloc.h:81)
==15115==    by 0x844ADC2: _zend_hash_add_or_update (zend_hash.c:247)
==15115==    by 0x84CE0E9: php_cgi_ini_activate_user_config (cgi_main.c:704)
==15115==    by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778)
==15115==    by 0x83DA5C1: sapi_activate (SAPI.c:392)
==15115==    by 0x83D08AC: php_request_startup (main.c:1342)
==15115==    by 0x84D04C1: main (cgi_main.c:1961)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2009-05-18 17:13 UTC] pajoye@php.net
Patch proposal: http://pastebin.com/m55fa609d

It also slightly changes the behaviors:
- if the current script is not inside the DOCUMENT_ROOT, the path is not processed
- it also checks if the path is an absolute path and get the real path if not (to test against the doc_root)

Stas, Jani: can you test it please before I commit it?
 [2009-05-26 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-06-16 23:44 UTC] stas@php.net
The patch needs one change: if the path is inside docroot, it should check up to docroot, otherwise it should take current dir only (now it looks like it ignores it completely). 
 [2009-06-17 21:16 UTC] pajoye@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 19:02:15 2014 UTC