PHP :: Bug #47318 :: UMR when trying to activate user config

Bug #47318	UMR when trying to activate user config
Submitted:	2009-02-05 18:45 UTC	Modified:	2009-06-17 21:16 UTC
From:	stas at zend dot com	Assigned:	pajoye (profile)
Status:	Closed	Package:	PHP options/info functions
PHP Version:	5.3CVS-2009-02-05 (CVS)	OS:	*
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	stas at zend dot com
New email:
PHP Version:		OS:

New Comment:

[2009-02-05 18:45 UTC] stas at zend dot com

Description:
------------
In function sapi_cgi_activate, php_cgi_ini_activate_user_config is called with path of the current script and third parameter 'start' which is document_root length - 1. Then, the following code is used:

		ptr = path + start; /* start is the point where doc_root ends! */
		while ((ptr = strchr(ptr, DEFAULT_SLASH)) != NULL) {


However, in general, path is not guaranteed to be residing in DOCUMENT_ROOT. While usually it is the case, there could be rewriting/aliasing scenarios that would call PHP on files outside document root. Or the user can invoke PHP binary by himself too (having DOCUMENT_ROOT set independently, but not intending to use it). 
In such cases, DOCUMENT_ROOT length has no relation to path length, which makes ptr point either to random place inside string if DOCUMENT_ROOT is short, or to random unallocated place in memory if it is longer than current path. 

Reproduce code:
---------------
One can easily reproduce it by setting DOCUMENT_ROOT to very long string and running PHP CGI under valgrind with parameter being some short script path. 

Actual result:
--------------
==15115== Invalid read of size 1
==15115==    at 0x400609A: index (mc_replace_strmem.c:164)
==15115==    by 0x84CE159: php_cgi_ini_activate_user_config (cgi_main.c:716)
==15115==    by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778)
==15115==    by 0x83DA5C1: sapi_activate (SAPI.c:392)
==15115==    by 0x83D08AC: php_request_startup (main.c:1342)
==15115==    by 0x84D04C1: main (cgi_main.c:1961)
==15115==  Address 0x4A65693 is 5 bytes before a block of size 50 alloc'd
==15115==    at 0x4005400: malloc (vg_replace_malloc.c:149)
==15115==    by 0x844B09C: __zend_malloc (zend_alloc.h:81)
==15115==    by 0x844ADC2: _zend_hash_add_or_update (zend_hash.c:247)
==15115==    by 0x84CE0E9: php_cgi_ini_activate_user_config (cgi_main.c:704)
==15115==    by 0x84CE40D: sapi_cgi_activate (cgi_main.c:778)
==15115==    by 0x83DA5C1: sapi_activate (SAPI.c:392)
==15115==    by 0x83D08AC: php_request_startup (main.c:1342)
==15115==    by 0x84D04C1: main (cgi_main.c:1961)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-05-18 17:13 UTC] pajoye@php.net

Patch proposal: http://pastebin.com/m55fa609d

It also slightly changes the behaviors:
- if the current script is not inside the DOCUMENT_ROOT, the path is not processed
- it also checks if the path is an absolute path and get the real path if not (to test against the doc_root)

Stas, Jani: can you test it please before I commit it?

[2009-05-26 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2009-06-16 23:44 UTC] stas@php.net

The patch needs one change: if the path is inside docroot, it should check up to docroot, otherwise it should take current dir only (now it looks like it ignores it completely).

[2009-06-17 21:16 UTC] pajoye@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Apr 23 22:01:31 2024 UTC