php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #63076 Force source IP on network operations
Submitted: 2012-09-12 20:08 UTC Modified: 2012-09-13 08:19 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: tonix at interazioni dot it Assigned:
Status: Open Package: Network related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tonix at interazioni dot it
New email:
PHP Version: OS:

 

 [2012-09-12 20:08 UTC] tonix at interazioni dot it
Description:
------------
It would nbe nice to have a new security feature in PHP.

Actually, a web server receives connections from a specific IP/port, but any PHP script can use any available address on outgoing connections.
This can be a security problem.

It should be possible to 'force' PHP to open connections only with a spcific IP or with the listening IP.This helps to prevent such problems:

 * if you have internal interfaces in the same machine where you have
   public IPs, a web PHP application could try to use the internal
   address of the interface, exploring internal network (actually we avoid that
   thanks to FreeBSD jails).
 * if apache listens on a specific  IP for a single domain, and listens
   on other IPs for others domains, it would be safe if each domain can
   use as source IP only the listening IP associated. 



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-09-13 01:09 UTC] aharvey@php.net
You can already do this for any function that accepts a stream context via the bindto context option. Is there a specific case that isn't covered?
 [2012-09-13 01:09 UTC] aharvey@php.net
-Status: Open +Status: Feedback -Package: Safe Mode/open_basedir +Package: Network related
 [2012-09-13 08:19 UTC] tonix at interazioni dot it
-Status: Feedback +Status: Open
 [2012-09-13 08:19 UTC] tonix at interazioni dot it
bindto looks to be a programming option.
I'm asking for a PHP directive, similar to OPEN_BASEDIR, which will force the bind address for any function opening/creating a socket or network connection.

This should be imposed by the system manager, when there is a multidomain/multiIP apache.

It would be useful to have something like:
BIND_IP 'x.x.x.x' (specific IP do be used for binding)
BIND_LISTEN (force use of IP on which the apache connection is received)
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Oct 23 20:01:30 2019 UTC