php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #62457 Excuse me, is this a bug?
Submitted: 2012-07-01 06:42 UTC Modified: 2012-07-02 00:46 UTC
From: mybugs at 163 dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 5.4.4 OS: Microsoft Windows Server 2003 R2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mybugs at 163 dot com
New email:
PHP Version: OS:

 

 [2012-07-01 06:42 UTC] mybugs at 163 dot com
Description:
------------
php.ini

[PATH=	"D:/Web/test.com/public"]
open_basedir		="D:/Web/test.com/public/"



Test script:
---------------
<?php
echo 'open_basedir:'.ini_get('open_basedir').'<br />';	//D:\WEB\TEST_COM\
$cmd = 'ping qq.com';
echo execute('system',$cmd);
echo execute('passthru',$cmd);
echo execute('shell_exec',$cmd);
echo execute('exec',$cmd);
echo execute('popen',$cmd);
function execute($type,$cfe) {
	$data = '';
	if ($cfe) {
		if($type=='system') {
			@ob_start();
			@system($cfe);
			$data = @ob_get_contents();
			@ob_end_clean();
		} elseif($type=='passthru') {
			@ob_start();
			@passthru($cfe);
			$data = @ob_get_contents();
			@ob_end_clean();
		} elseif($type=='shell_exec') {
			$data = @shell_exec($cfe);
		} elseif($type=='exec') {
			@exec($cfe,$data);
			$data = join("\n",$data);
		} elseif($type=='popen') {
			$f = @popen($cfe,"r");
			while(!@feof($f)) {
				$data .= @fread($f,1024); 
			}
			@pclose($f);
		}
	}
	return $type.'----------<br />'.$data.'<br />'.$type.'----------<br /><br />';
}

?>

Expected result:
----------------
open_basedir:D:\Web\test.com\public\
system----------

system----------

passthru----------
Pinging qq.com [119.147.15.13] with 32 bytes of data: Reply from 119.147.15.13: bytes=32 time=11ms TTL=56 Reply from 119.147.15.13: bytes=32 time=11ms TTL=56 Reply from 119.147.15.13: bytes=32 time=11ms TTL=56 Reply from 119.147.15.13: bytes=32 time=11ms TTL=56 Ping statistics for 119.147.15.13: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 11ms, Maximum = 11ms, Average = 11ms
passthru----------

shell_exec----------
Pinging qq.com [119.147.15.17] with 32 bytes of data: Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Ping statistics for 119.147.15.17: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9ms
shell_exec----------

exec----------
Pinging qq.com [119.147.15.17] with 32 bytes of data: Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Ping statistics for 119.147.15.17: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9ms
exec----------

popen----------
Pinging qq.com [119.147.15.17] with 32 bytes of data: Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Ping statistics for 119.147.15.17: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9ms
popen----------


Actual result:
--------------
open_basedir:D:\Web\test.com\public\
system----------

system----------

passthru----------

passthru----------

shell_exec----------

shell_exec----------

exec----------

exec----------

popen----------

popen----------

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-01 06:43 UTC] mybugs at 163 dot com
php.ini

disable_functions =system

[PATH=	"D:/Web/test.com/public"]
open_basedir
 [2012-07-01 09:58 UTC] Sjon at hortensius dot net
What if you remove all '@' from your script, what are the error-messages that 
appear? Because with those added, all errors are hidden.
 [2012-07-01 11:30 UTC] mybugs at 163 dot com
I 'm sorry . I  set the wrong position by "Actual result" and "Expected result" at the time of submission .

It should be the"Actual result"is the "Expected result",and the "Expected result" is the "Actual result"

This problem is that it can restrict path but at the same time it also can perform the other  program except the path.
It is the significant security hidden danger.


fix
php.ini

disable_functions=system
[PATH="D:/Web/test.com/public"]
open_basedir=D:/Web/test.com/public/
 [2012-07-01 13:32 UTC] Sjon at hortensius dot net
Aha, so your report is that open_basedir does not restrict the binaries that you 
can run using the various methods of system-calls? Because that is not a bug :)

open_basedir, by design, cannot limit the paths that system-calls will eventually 
be able to reach since it has no control over that. This was previously reported 
as #55761

Also, the next time you report a bug, a more descriptive title would be 
appreciated!
 [2012-07-02 00:46 UTC] aharvey@php.net
-Status: Open +Status: Duplicate
 [2012-07-02 00:46 UTC] aharvey@php.net
In summary, no, it's not a bug, for the reasons Sjon has stated.

Closing as duplicate of bug #55761.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Nov 28 14:01:23 2020 UTC