php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77085 Function glob() is not checked for open_basedir
Submitted: 2018-10-31 01:49 UTC Modified: 2018-10-31 15:16 UTC
From: pavtov90 at gmail dot com Assigned:
Status: Verified Package: Filesystem function related
PHP Version: 7.2.11 OS: Windows/Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-10-31 01:49 UTC] pavtov90 at gmail dot com
Description:
------------
I've seen previous reports, but their status is fixed.

Wrapper on Windows glob:// is not checked for open_basedir. If I checked correctly, where it is possible to insert it, errors will be generated that can be used as True or False. But I decided to test it simply, without unnecessary functions


Test script:
---------------
php.ini:

open_basedir = C:/php/




<?php
var_dump(glob("C:/test/1*"));
?>

Expected result:
----------------
Warning: _____ open_basedir restriction in effect...

Actual result:
--------------
If true (a file or folder exists)
Result : bool(false)

If false(no file or folder exists)
Result : array(0){}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-31 02:23 UTC] pavtov90 at gmail dot com
-Operating System: Windows +Operating System: Windows/Linux
 [2018-10-31 02:23 UTC] pavtov90 at gmail dot com
I am testing in Linux through ini_set('open_basedir','/path/'); And he gave me the same result
 [2018-10-31 02:24 UTC] pavtov90 at gmail dot com
-Summary: Wrapper on Windows glob:// is not checked for open_basedir +Summary: Wrapper on glob:// is not checked for open_basedir
 [2018-10-31 02:24 UTC] pavtov90 at gmail dot com
.
 [2018-10-31 02:25 UTC] pavtov90 at gmail dot com
on linux - PHP Version 7.1.23
 [2018-10-31 07:59 UTC] pavtov90 at gmail dot com
-Summary: Wrapper on glob:// is not checked for open_basedir +Summary: Function glob() is not checked for open_basedir
 [2018-10-31 07:59 UTC] pavtov90 at gmail dot com
/
 [2018-10-31 08:33 UTC] spam2 at rhsoft dot net
would you stop your one char comments triggering in mails leading to whatever cared about the Bugreport filters it no?
 [2018-10-31 15:16 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: *General Issues +Package: Filesystem function related
 [2018-10-31 15:16 UTC] cmb@php.net
The open_basedir check is done for each of the globbed files, and
suppresses warnings[1], likely to prevent multiple warnings.
However, it doesn't trigger a single open_basedir related warning,
if an open_basedir violation had been detected[2].

> If false(no file or folder exists)
> Result : array(0){}

This is a particular issue.  If no file is globbed, no individual
open_basedir check can be done (and possibly fail).  While there
is a open_basedir check on the pattern[3], it is skipped on
Windows, and I wonder whether it can be sufficient for all
possible glob patterns on other systems.

To avoid any open_basedir related differences, we could never
return an empty array (and never raise an open_basedir warning),
but that would be quite a BC break[4].

BTW: the `continue`[5] doesn't seem to make sense.  A `break`
should be more sensible.

[1] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L516>
[2] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L546-L547>
[3] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L504>
[4] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L478-L484>
[5] <https://github.com/php/php-src/blob/php-7.3.0RC4/ext/standard/dir.c#L518>
 [2018-10-31 15:58 UTC] pavtov90 at gmail dot com
Getting a bypass on open_basedir?
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Fri Nov 16 09:01:26 2018 UTC