php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69134 Per Directory Values overrides PHP_INI_SYSTEM configuration options
Submitted: 2015-02-27 05:06 UTC Modified: 2015-03-17 23:55 UTC
From: aserbulov at parallels dot com Assigned: ab
Status: Closed Package: PHP options/info functions
PHP Version: 5.5.22 OS: Windows
Private report: No CVE-ID:
 [2015-02-27 05:06 UTC] aserbulov at parallels dot com
Description:
------------
http://php.net/manual/en/configuration.changes.php
---
only configuration values changeable in PHP_INI_USER can be set this way
---

Expected result:
----------------
PHP_INI_SYSTEM configuration options should not be overridden by Per Directory Values.

Actual result:
--------------
Per Directory Values overrides PHP_INI_SYSTEM configuration options.

Patches

bug69134.patch (last revision 2015-03-04 18:53 UTC) by ab@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-27 05:36 UTC] aserbulov at parallels dot com
patch
---
--- win32/registry.c	Wed Jan 21 10:23:27 2015
+++ win32/registry.c	Fri Feb 27 10:40:52 2015
@@ -261,7 +261,7 @@
 			     zend_hash_get_current_data_ex(ht, (void**)&data, &pos) == SUCCESS &&
 			     zend_hash_get_current_key_ex(ht, &index, &index_len, &num, 0, &pos) == HASH_KEY_IS_STRING;
 			     zend_hash_move_forward_ex(ht, &pos)) {
-				zend_alter_ini_entry(index, index_len, Z_STRVAL_PP(data), Z_STRLEN_PP(data), PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);
+				zend_alter_ini_entry(index, index_len, Z_STRVAL_PP(data), Z_STRLEN_PP(data), PHP_INI_USER, PHP_INI_STAGE_ACTIVATE);
 			}
 			break;
 		}

---
 [2015-02-27 05:43 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2015-02-27 05:43 UTC] stas@php.net
Could you please provide a reproduction scenario that demonstrates the problem?
 [2015-02-27 05:51 UTC] aserbulov at parallels dot com
-Status: Feedback +Status: Open
 [2015-02-27 05:51 UTC] aserbulov at parallels dot com
You can set any PHP_INI_SYSTEM configuration option in "Per Directory Values" registry sub-key (for example: curl.cainfo) and it overrides the same option in php.ini
 [2015-02-27 14:45 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2015-02-27 14:45 UTC] ab@php.net
@aserbulov, thanks for reporting. I can confirm this behavior. However it rather looks like the documentation discrepancy. I see nowhere back in time it were working like like is documented but was always PHP_INI_SYSTEM, like since PHP4 :)

What where the actual security risk? People who can edit registry usually have enough privileges to do any possible harm to the system.

Thanks.
 [2015-03-02 03:42 UTC] aserbulov at parallels dot com
-Status: Feedback +Status: Open
 [2015-03-02 03:42 UTC] aserbulov at parallels dot com
Server administrator can grant write access on "HKLM\Software\PHP\Per Directory Values\C\inetpub\some_website_wwwroot" registry key for some user, and this user can overrides PHP_INI_SYSTEM options.
 [2015-03-02 04:16 UTC] stas@php.net
-Assigned To: +Assigned To: ab
 [2015-03-04 18:53 UTC] ab@php.net
The following patch has been added/updated:

Patch Name: bug69134.patch
Revision:   1425495199
URL:        https://bugs.php.net/patch-display.php?bug=69134&patch=bug69134.patch&revision=1425495199
 [2015-03-04 19:05 UTC] ab@php.net
-Status: Assigned +Status: Verified
 [2015-03-04 19:06 UTC] ab@php.net
Stas,

I've attached a patch suitable for 5.4/5/6. The @aserbulov's suggestion sounds plausible - it's documented also here http://php.net/manual/en/configuration.changes.modes.php , but was never working :)

Depending on the (shared) hosters, the access could be incapsulated within one account or even shrinked to the only readable mode for the registry. But we're on the safe side bringing the behavior inline with the doc as it's more robust against misconfigurations. The real php.ini is usually managed by admins only, the PHP_INI_USER is for users only.

Note that I've applied this to master already as part of a bigger fix, as there was some substantial breaches to the functionality. Unfortunately it's not easy to test as one has to prepare the registry manually. So when merging into master, please do just --strategy=ours.

Cheers.
 [2015-03-17 23:55 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2015-03-17 23:55 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2015-03-18 05:09 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bfb669891e02ba36f27f7807a3e114a57d78823c
Log: Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options)
 [2015-03-18 09:47 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=048e0d58bf3a30849b0f7b7c1e43e8fb9fc8b01b
Log: Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options)
 [2015-03-19 01:00 UTC] tyrael@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f183044fd301ed75f37983b95903b71467c29f4
Log: Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue May 30 09:02:04 2017 UTC