php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #52624 tempnam() by-pass open_basedir with inexistent directory
Submitted: 2010-08-17 14:39 UTC Modified: 2011-11-15 17:00 UTC
Votes:2
Avg. Score:2.5 ± 1.5
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: hirad dot navid at t-systems dot at Assigned: felipe
Status: Closed Package: Unknown/Other Function
PHP Version: 5.2.14 OS: RHEL 5
Private report: No CVE-ID:
 [2010-08-17 14:39 UTC] hirad dot navid at t-systems dot at
Description:
------------
Dear php Team,

We are using php 5.2.13 and Safe_mod is ON.

we have a problem using tempnam, at first we had tempnam('',tempfile); 
This did not work - error "can not access /tmp

Later I investigated and have written the testscript and have following behavior. Attention script must be owned by non root user

the script with 7th line $tmp_name = tempnam ( 'tmp', 'tempname' ); works fine also with safe_mode

when i change it to $tmp_name = tempnam ( '/tmp', 'tempname' ); a safe_mode restriction takes effect (the one with compares UID/GID and puts out 
Warning: tempnam() [function.tempnam]: SAFE MODE Restriction in effect. The script whose uid/gid is 506/506 is not allowed to access /tmp owned by uid/gid 0/0 in /home/httpd/html/default/tempfile.php on line 7

but why does it work without the beginning '/'?
Can you clarify this behavior please? and another issuse is that when i try with $tmp_name = tempnam ( '/tmp', 'tempname' ); it does not make a diference putting /tmp to openbasedir or safe_mode_includedir it dies not work.


I have also read the changelog and have found that since PHP 5.2.12 some issues with tempname and safe_mode have been fixed - there was a bug that tempnam ignores safe_mode. And this correct because i tested with php 5.2.11 and it worked with /tmp also. Can you tell me ehat exactly is changed saince version 5.2.12?




Test script:
---------------
<?PHP

$xx = sys_get_temp_dir();
echo $xx . '<br>';
for ( $x = 0; $x <= 5; $x++ )
{
  $tmp_name = tempnam ( 'tmp', 'tempname' );
  echo $tmp_name . '<br>';
}
$str = 'standing in a tempfile';
$tmp_file = fopen ( $tmp_name, 'w' );
fputs ( $tmp_file, $str );
fclose ( $tmp_file );
$fp = fopen ( $tmp_name, 'r' );
$str = fgets ( $fp, 50 );
fclose ( $fp );
echo $str;
?>

Expected result:
----------------
script above works fine also in safe mode change 7th line from
$tmp_name = tempnam ( 'tmp', 'tempname' );
to
$tmp_name = tempnam ( '/tmp', 'tempname' ); bringe a safe_mode restriction which is also ok, but why does it work without / and why does it not make a diference putting /tmp to openbasedir or safe_mode_include_dir



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-05-10 15:19 UTC] alexis dot olivier at unicaen dot fr
Hello everybody,

We got the same case with open_basedir restriction.

The users have no access to /tmp (they have their own tmp dir). When calling tempnam('/tmp', 'tempname'), The open_basedir restriction takes effect and creation of the file is forbidden.

But, when calling tempnam('path_that_doesnt_exist', 'tempname'), the function takes /tmp in fallback and file is created (overriding the open_basedir restriction). The file can't be written (open_basedir restriction), but this bug can be used to overflow tmp directory.

I think it lacks a test in the function to protect from writing out of open_basedir restriction.

Test script:
------------
With open_basedir not including /tmp : 
<?php
// This gives a warning
echo tempnam("/tmp", "prefix_");
// This creates a file in /tmp
echo tempnam("directory_that_not_exists", "prefix_");
?>
 [2011-11-15 16:59 UTC] felipe@php.net
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=319255
Log: - Fixed bug #52624 (tempnam() by-pass open_basedir with inexistent directory)
 [2011-11-15 17:00 UTC] felipe@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2011-11-15 17:00 UTC] felipe@php.net
-Summary: tempnam() in SAFE Mode +Summary: tempnam() by-pass open_basedir with inexistent directory -Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2012-04-18 09:47 UTC] laruence@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1f81004be268c2918ecf6ca996461c7b0c152a20
Log: - Fixed bug #52624 (tempnam() by-pass open_basedir with inexistent directory)
 [2012-07-24 23:38 UTC] rasmus@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1f81004be268c2918ecf6ca996461c7b0c152a20
Log: - Fixed bug #52624 (tempnam() by-pass open_basedir with inexistent directory)
 [2013-11-17 09:35 UTC] laruence@php.net
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1f81004be268c2918ecf6ca996461c7b0c152a20
Log: - Fixed bug #52624 (tempnam() by-pass open_basedir with inexistent directory)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 18:02:13 2014 UTC