php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #62457 Excuse me, is this a bug?
Submitted: 2012-07-01 06:42 UTC Modified: 2012-07-02 00:46 UTC
From: mybugs at 163 dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 5.4.4 OS: Microsoft Windows Server 2003 R2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
35 - 14 = ?
Subscribe to this entry?

 
 [2012-07-01 06:42 UTC] mybugs at 163 dot com 
Description:
------------
php.ini

[PATH=	"D:/Web/test.com/public"]
open_basedir		="D:/Web/test.com/public/"



Test script:
---------------
<?php
echo 'open_basedir:'.ini_get('open_basedir').'<br />';	//D:\WEB\TEST_COM\
$cmd = 'ping qq.com';
echo execute('system',$cmd);
echo execute('passthru',$cmd);
echo execute('shell_exec',$cmd);
echo execute('exec',$cmd);
echo execute('popen',$cmd);
function execute($type,$cfe) {
	$data = '';
	if ($cfe) {
		if($type=='system') {
			@ob_start();
			@system($cfe);
			$data = @ob_get_contents();
			@ob_end_clean();
		} elseif($type=='passthru') {
			@ob_start();
			@passthru($cfe);
			$data = @ob_get_contents();
			@ob_end_clean();
		} elseif($type=='shell_exec') {
			$data = @shell_exec($cfe);
		} elseif($type=='exec') {
			@exec($cfe,$data);
			$data = join("\n",$data);
		} elseif($type=='popen') {
			$f = @popen($cfe,"r");
			while(!@feof($f)) {
				$data .= @fread($f,1024); 
			}
			@pclose($f);
		}
	}
	return $type.'----------<br />'.$data.'<br />'.$type.'----------<br /><br />';
}

?>

Expected result:
----------------
open_basedir:D:\Web\test.com\public\
system----------

system----------

passthru----------
Pinging qq.com [119.147.15.13] with 32 bytes of data: Reply from 119.147.15.13: bytes=32 time=11ms TTL=56 Reply from 119.147.15.13: bytes=32 time=11ms TTL=56 Reply from 119.147.15.13: bytes=32 time=11ms TTL=56 Reply from 119.147.15.13: bytes=32 time=11ms TTL=56 Ping statistics for 119.147.15.13: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 11ms, Maximum = 11ms, Average = 11ms
passthru----------

shell_exec----------
Pinging qq.com [119.147.15.17] with 32 bytes of data: Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Ping statistics for 119.147.15.17: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9ms
shell_exec----------

exec----------
Pinging qq.com [119.147.15.17] with 32 bytes of data: Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Ping statistics for 119.147.15.17: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9ms
exec----------

popen----------
Pinging qq.com [119.147.15.17] with 32 bytes of data: Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Ping statistics for 119.147.15.17: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9ms
popen----------


Actual result:
--------------
open_basedir:D:\Web\test.com\public\
system----------

system----------

passthru----------

passthru----------

shell_exec----------

shell_exec----------

exec----------

exec----------

popen----------

popen----------

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-07-01 06:43 UTC] mybugs at 163 dot com 
php.ini

disable_functions =system

[PATH=	"D:/Web/test.com/public"]
open_basedir
 [2012-07-01 09:58 UTC] Sjon at hortensius dot net 
What if you remove all '@' from your script, what are the error-messages that 
appear? Because with those added, all errors are hidden.
 [2012-07-01 11:30 UTC] mybugs at 163 dot com 
I 'm sorry . I  set the wrong position by "Actual result" and "Expected result" at the time of submission .

It should be the"Actual result"is the "Expected result",and the "Expected result" is the "Actual result"

This problem is that it can restrict path but at the same time it also can perform the other  program except the path.
It is the significant security hidden danger.


fix
php.ini

disable_functions=system
[PATH="D:/Web/test.com/public"]
open_basedir=D:/Web/test.com/public/
 [2012-07-01 13:32 UTC] Sjon at hortensius dot net 
Aha, so your report is that open_basedir does not restrict the binaries that you 
can run using the various methods of system-calls? Because that is not a bug :)

open_basedir, by design, cannot limit the paths that system-calls will eventually 
be able to reach since it has no control over that. This was previously reported 
as #55761

Also, the next time you report a bug, a more descriptive title would be 
appreciated!
 [2012-07-02 00:46 UTC] aharvey@php.net
-Status: Open +Status: Duplicate
 [2012-07-02 00:46 UTC] aharvey@php.net 
In summary, no, it's not a bug, for the reasons Sjon has stated.

Closing as duplicate of bug #55761.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 19:01:30 2024 UTC