php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #54564 extension_dir should be used for loading zend_extensions
Submitted: 2011-04-18 23:05 UTC Modified: 2013-11-27 04:01 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tyra3l at gmail dot com Assigned: laruence (profile)
Status: Closed Package: Scripting Engine problem
PHP Version: 5.3.6 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tyra3l at gmail dot com
New email:
PHP Version: OS:

 

 [2011-04-18 23:05 UTC] tyra3l at gmail dot com
Description:
------------
I've brought this topic on the internals
http://marc.info/?l=php-internals&m=130314285822279&w=2
and I think that it would be useful and more consistent, if this could be changed, 
so one could easily load both "normal" and zend extensions without the need to use 
absolute paths.


Test script:
---------------
php -n -d zend_extension=xdebug.so -r ''

Actual result:
--------------
Failed loading xdebug.so:  xdebug.so: cannot open shared object file: No such file 
or directory

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-16 06:54 UTC] stas@php.net
I think loading extensions through relative path opens a way to all kinds of 
dangerous behavior and may have problematic security implications - like ones 
described here: http://arstechnica.com/information-technology/2010/08/new-
windows-dll-security-flaw-everything-old-is-new-again/. I'm not sure also why it 
is necessary - why can't PHP extension be installed in extension dir and run from 
there? If one needs multiple ones, multiple php.ini files can always be used.
 [2012-09-16 07:23 UTC] tyrael@php.net
Stas, I'm not sure I'm following your reasoning here.
extension_dir exists, and it is pretty standard in each and every distribution to 
rely on this behavior, so bringing this issue against my proposal means that you 
either missed my point (extension_dir is honored for zend_extension= like it does 
for extension=) or you somehow think that loading a rouge zend extension has 
bigger security implications, which I can't see.

ps: Binary Planting isn't really similar with what we have here, the issue with 
that is that it allows loading dll's from the current directory, while we would 
only allow loading extensions from the paths listed in extension_dir.
 [2013-11-26 19:10 UTC] rainer dot jung at kippdata dot de
Clarification: tyrael meant: "extension_dir is *not* honored for zend_extension=".
 [2013-11-26 21:54 UTC] rainer dot jung at kippdata dot de
This has already been fixed in master and 5.5:

http://git.php.net/?p=php-src.git;a=commitdiff;h=0b8b6a727ddd31ff14e4af919c77a3f1b5e2b3f0

http://git.php.net/?p=php-src.git;a=commitdiff;h=0def1ca59a60d9fa3a01900c9c09173fbbb9e8e0

It might make sense to backport to 5.4.
 [2013-11-27 04:01 UTC] laruence@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: laruence
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 00:01:28 2024 UTC