|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #54564 extension_dir should be used for loading zend_extensions
Submitted: 2011-04-18 23:05 UTC Modified: 2013-11-27 04:01 UTC
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tyra3l at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.6 OS:
Private report: No CVE-ID: None
 [2011-04-18 23:05 UTC] tyra3l at gmail dot com
I've brought this topic on the internals
and I think that it would be useful and more consistent, if this could be changed, 
so one could easily load both "normal" and zend extensions without the need to use 
absolute paths.

Test script:
php -n -d -r ''

Actual result:
Failed loading cannot open shared object file: No such file 
or directory


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-16 06:54 UTC]
I think loading extensions through relative path opens a way to all kinds of 
dangerous behavior and may have problematic security implications - like ones 
described here:
windows-dll-security-flaw-everything-old-is-new-again/. I'm not sure also why it 
is necessary - why can't PHP extension be installed in extension dir and run from 
there? If one needs multiple ones, multiple php.ini files can always be used.
 [2012-09-16 07:23 UTC]
Stas, I'm not sure I'm following your reasoning here.
extension_dir exists, and it is pretty standard in each and every distribution to 
rely on this behavior, so bringing this issue against my proposal means that you 
either missed my point (extension_dir is honored for zend_extension= like it does 
for extension=) or you somehow think that loading a rouge zend extension has 
bigger security implications, which I can't see.

ps: Binary Planting isn't really similar with what we have here, the issue with 
that is that it allows loading dll's from the current directory, while we would 
only allow loading extensions from the paths listed in extension_dir.
 [2013-11-26 19:10 UTC] rainer dot jung at kippdata dot de
Clarification: tyrael meant: "extension_dir is *not* honored for zend_extension=".
 [2013-11-26 21:54 UTC] rainer dot jung at kippdata dot de
This has already been fixed in master and 5.5:;a=commitdiff;h=0b8b6a727ddd31ff14e4af919c77a3f1b5e2b3f0;a=commitdiff;h=0def1ca59a60d9fa3a01900c9c09173fbbb9e8e0

It might make sense to backport to 5.4.
 [2013-11-27 04:01 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Wed Jan 20 14:01:23 2021 UTC