php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76894 imageftbbox - listing files outside of openbase_dir
Submitted: 2018-09-17 04:04 UTC Modified: 2021-08-18 15:33 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: fernando at null-life dot com Assigned:
Status: Open Package: GD related
PHP Version: 7.2.10 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2018-09-17 04:04 UTC] fernando at null-life dot com
Description:
------------
When specifying a file that is outside of the openbasedir path, imageftbbox emits two warnings when the file used as a font exists, and only one when it doesn't. This allows to identify existing paths/files. I'm testing on Windows only.

For example: 

imageftbbox(10, 0, "C:\\windows", 'PHP');

Warning: imageftbbox(): open_basedir restriction in effect. File(c:\windows) is not within the allowed path(s): (C:\tools\phuzzer) in C:\tools\phuzzer\imageft.php on line 15

Warning: imageftbbox(): Invalid font filename in C:\tools\phuzzer\imageft.php on line 15

Test script:
---------------
php.exe -n -dopen_basedir=C:\tools\phuzzer -dextension=ext\php_gd2.dll imageft.php

<?php


function myErrorHandler($errno, $errstr, $errfile, $errline) {
  global $errorsgenerated;  
  $errorsgenerated = $errorsgenerated + 1;
  return true;
}

set_error_handler('myErrorHandler');

function file_exists_openbasedir($path) {
	global $errorsgenerated;
	$errorsgenerated = 0;
	imageftbbox(10, 0, $path, 'PHP');
	return $errorsgenerated > 1;
}

echo "c:\\anythingelse ".(file_exists_openbasedir("c:\\anythingelse") ? "exists" : "doesnt exist").PHP_EOL;
echo "c:\\windows ".(file_exists_openbasedir("c:\\windows")?  "exists" : "doesnt exist").PHP_EOL;

Expected result:
----------------
Same behavior regardless the file exists or no.

Actual result:
--------------
c:\anythingelse doesnt exist
c:\windows exists

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-09-17 15:14 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2018-09-17 15:14 UTC] cmb@php.net
According to our security classification[1] this is not a
security issue, since it:

| requires the use of settings not recommended for production -
| ex. error reporting to output

It seems strange that ZTS versions do not issue the open_basedir
restriction warning for non-existant files, but since the other
warning is the result of a failing open_basedir check, that's a
minor issue.

[1] <https://wiki.php.net/security>
 [2018-09-17 17:02 UTC] fernando at null-life dot com
Hi cmb, 

I think the argument regarding settings not recommended for production is not valid here, as you can see, even with display_errors=Off the code is still able to detect existing files/dirs out of the openbasedir path. 

If you don't want to clasify it as a security issue for any other reason, that's OK for me.

D:\FMS\fms\php7210ts>php.exe -n -dopen_basedir=d:\fms -ddisplay_errors=Off -dextension=ext\php_gd2.dll x.php
c:\anythingelse doesnt exist
c:\windows exists

As you mention, it only happens with the ZTS version, the NTS doesn't show this behaviour. Thanks"
 [2021-08-18 15:33 UTC] cmb@php.net
> If you don't want to clasify it as a security issue for any
> other reason, that's OK for me.

Maybe moot after this long time, but it has been decided to
classify any open_basedir related issue as not a security
issue[1].

Anyhow, this is related to bug #75656.

[1] <https://wiki.php.net/security>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 10:01:30 2024 UTC