php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76459 windows linkinfo lacks openbasedir check
Submitted: 2018-06-11 22:51 UTC Modified: 2018-08-15 13:54 UTC
From: fernando at null-life dot com Assigned: ab (profile)
Status: Closed Package: *General Issues
PHP Version: 7.2.6 OS: Windows
Private report: No CVE-ID: 2018-15132
 [2018-06-11 22:51 UTC] fernando at null-life dot com
Description:
------------
linkinfo function on windows doesn't implement openbasedir check, it can be seen by reviewing the source code. This could be abused to find files on paths outside of the allowed directories.


Windows: https://github.com/php/php-src/blob/master/ext/standard/link_win32.c#L88
Unix: https://github.com/php/php-src/blob/master/ext/standard/link.c#L85

Test script:
---------------
<?php

$var1="c:\\jump";
print "checking $var1 ...".PHP_EOL;
print @linkinfo($var1).PHP_EOL;
$var1="c:\\jump\\folder\\file1.txt";
print "checking $var1 ...".PHP_EOL;
print @linkinfo($var1).PHP_EOL;
$var1="c:\\jump\\blabla";
print "checking $var1 ...".PHP_EOL;
print @linkinfo($var1).PHP_EOL;

Expected result:
----------------
Warning: linkinfo(): open_basedir restriction in effect...
                

Actual result:
--------------
C:\php726\php.exe -n -dopen_basedir=C:\tools sample.php

checking c:\jump ...
2
checking c:\jump\folder\file1.txt ...
2
checking c:\jump\blabla ...
-1  

Patches

Admin (last revision 2018-09-11 07:20 UTC) by maocp_2014 at 163 dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-12 11:07 UTC] cmb@php.net
Why do we even have distinct implementations for linkinfo()?
 [2018-07-04 07:12 UTC] ab@php.net
I've pushed two branches to the security repo

- bug76459_56
- bug76459_70

Both are not more than applying http://git.php.net/?p=php-src.git;a=commitdiff;h=900778731c49611e1318e4d1839768eb46f26813 to link_win32.c.

I can't tell, why these implementations are separated. Some common parts can for sure be merged, if not all of them.

Thanks.
 [2018-07-16 23:57 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=289cb0f77c28b80a779170711f5e4e92cdd4fbdb
Log: Fixed bug #76459 windows linkinfo lacks openbasedir check
 [2018-07-16 23:57 UTC] stas@php.net
-Status: Open +Status: Closed
 [2018-07-16 23:58 UTC] stas@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f151e048ed27f6f4eef729f3310d053ab5da71d4
Log: Fixed bug #76459 windows linkinfo lacks openbasedir check
 [2018-07-18 09:55 UTC] krakjoe@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2fa74ad7c4f7f716183860e81489490b83277ccc
Log: Fixed bug #76459 windows linkinfo lacks openbasedir check
 [2018-08-09 12:47 UTC] fernando at null-life dot com
CVE-2018-15132 was assigned by MITRE

https://nvd.nist.gov/vuln/detail/CVE-2018-15132
 [2018-08-15 13:54 UTC] kaplan@php.net
-Assigned To: +Assigned To: kaplan -CVE-ID: +CVE-ID: 2018-15132
 [2018-08-15 13:54 UTC] kaplan@php.net
-Assigned To: kaplan +Assigned To: ab
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Thu Oct 18 22:01:26 2018 UTC