php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73020 GD fontnames can violate open_basedir restriction
Submitted: 2016-09-05 10:40 UTC Modified: 2017-10-16 08:52 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: GD related
PHP Version: 7.1Git-2016-09-05 (Git) OS: *
Private report: No CVE-ID: None
 [2016-09-05 10:40 UTC] cmb@php.net
Description:
------------
I've just stumbled upon <https://bugs.php.net/bug.php?id=64823>
and that pointed me to a potential security issue, namely that the
open_basedir check[1] is useless for font names (which are looked
up in the standard font directories). Even worse, not only a font
name, but actually a semicolon delimited font name list[2] is
accepted by gdImageStringFT() and friends, what is not catered to
by the PHP binding at all, i.e. the reproduce script works in non
ZTS mode (if myfont.ttf exists in the parent dir), even if
`open_basedir=.`.

[1] <https://github.com/php/php-src/blob/PHP-7.0.11/ext/gd/gd.c#L3914>
[2] <https://github.com/php/php-src/blob/PHP-7.0.11/ext/gd/libgd/gdft.c#L81-L85>


Test script:
---------------
var_dump(
	imagettfbbox(14, 0, 'doesnotexist.tff;../myfont.ttf', 'foo')
	=== false
);


Expected result:
----------------
Warning: fopen(): open_basedir restriction in effect. File(../myfont.ttf) is not within the allowed path(s): (.) in %s on line %d
bool(true)


Actual result:
--------------
bool(false)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-05 10:40 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-09-05 13:16 UTC] pajoye@php.net
This is not a bug but a feature.

Fontconfig, font families etc may find fonts in the system font folder(s).

I am not sure we should change that. Also ft is not the only library accessing files ouutsdie openbasedir.
 [2016-09-05 14:20 UTC] cmb@php.net
Well, I see, but then we should either remove the
PHP_GD_CHECK_OPEN_BASEDIR call altogether, or check all filenames
in the list individually.
 [2016-09-05 21:02 UTC] stas@php.net
-Assigned To: +Assigned To: pajoye
 [2016-10-25 01:40 UTC] stas@php.net
-Assigned To: pajoye +Assigned To: cmb
 [2017-08-27 19:16 UTC] cmb@php.net
I have documented that open_basedir does not apply to these
$fontfile parameters. I'll wait at least until these changes are
available on <php.net/manual/en> before disclosing this ticket.
 [2017-10-16 02:22 UTC] stas@php.net
can we close it now?
 [2017-10-16 08:52 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 [2017-10-16 08:52 UTC] cmb@php.net
Thanks for the ping, Stas. Closing.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jul 23 18:01:23 2021 UTC