php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78141 open_basedir bug when write files on root directory
Submitted: 2019-06-11 09:57 UTC Modified: 2021-07-12 17:23 UTC
From: phith0n dot ph2f at gmail dot com Assigned:
Status: Open Package: Filesystem function related
PHP Version: 7.3.6 OS: Any
Private report: No CVE-ID: None
 [2019-06-11 09:57 UTC] phith0n dot ph2f at gmail dot com
Description:
------------
I found that if write a new file/directory (the file shouldn't exist) into Linux root directory, the open_basedir is not worked, maybe the php_check_specific_open_basedir has a logic bug.

After digging into the source code, I found an error in https://github.com/php/php-src/blob/master/main/fopen_wrappers.c#L189.

It wishes to find the latest slash in path, but if the path is equal to "/sample", the latest slash is the root directory, the result of the resolved_name is a point to an empty string.

The empty string is a substring of any other string, so open basedir checker returns true.

The bug influences lots of functions, such as:

- file_put_contents
- mkdir
- touch
- fopen
- ...

Test script:
---------------
root@s:/var/www/html# php -d open_basedir=/var/www/html/ -r "file_put_contents('/file_put_contents', 'data');"
root@s:/var/www/html# ls -al /file_put_contents

Expected result:
----------------
-rw-r--r-- 1 root root 4 Jun 11 12:42 /file_put_contents

Actual result:
--------------
Warning: file_put_contents(): open_basedir restriction in effect. File(/file_put_contents) is not within the allowed path(s): (/var/www/html/) in Command line code on line 1
Warning: file_put_contents(/file_put_contents): failed to open stream: Operation not permitted in Command line code on line 1

ls: cannot access '/file_put_contents': No such file or directory

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-06-11 09:58 UTC] phith0n dot ph2f at gmail dot com
-Summary: Bypassing open_basedir restrictions via sqlite3 uri (patch bypass) +Summary: open_basedir bug when write files on root directory
 [2019-06-11 09:58 UTC] phith0n dot ph2f at gmail dot com
update title to "open_basedir bug when write files on root directory"
 [2019-06-11 10:01 UTC] phith0n dot ph2f at gmail dot com
-Summary: open_basedir bug when write files on root directory +Summary: Bypassing open_basedir restrictions via sqlite3 uri (patch bypass)
 [2019-06-11 10:01 UTC] phith0n dot ph2f at gmail dot com
Wrong order.

Actual result:
----------------
-rw-r--r-- 1 root root 4 Jun 11 12:42 /file_put_contents

Expected result:
--------------
Warning: file_put_contents(): open_basedir restriction in effect. File(/file_put_contents) is not within the allowed path(s): (/var/www/html/) in Command line code on line 1
Warning: file_put_contents(/file_put_contents): failed to open stream: Operation not permitted in Command line code on line 1

ls: cannot access '/file_put_contents': No such file or directory
 [2019-06-11 10:03 UTC] phith0n dot ph2f at gmail dot com
-Summary: Bypassing open_basedir restrictions via sqlite3 uri (patch bypass) +Summary: open_basedir bug when write files on root directory
 [2019-06-11 10:03 UTC] phith0n dot ph2f at gmail dot com
browser history of title is always wrong...
 [2020-05-05 12:31 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2020-05-05 12:31 UTC] cmb@php.net
I cannot reproduce the reported behavior (for me, an open_basedir
warning is raised).  Does this still happen to you?
 [2020-05-06 13:32 UTC] phith0n dot ph2f at gmail dot com
-Status: Feedback +Status: Assigned
 [2020-05-06 13:32 UTC] phith0n dot ph2f at gmail dot com
Hi @cmb.

I still have this bug. I test it on the latest version of PHP 7.4 in docker:

# root @ OrangeDeafening-VM in ~ [21:06:31] 
$ docker pull php:7.4
7.4: Pulling from library/php
54fec2fa59d0: Pull complete 
cc4504446071: Pull complete 
f8d55b89827d: Pull complete 
6bf7f8bea876: Pull complete 
9a178eabfa4a: Pull complete 
99583d0b7ff2: Pull complete 
79c3ed7f9118: Pull complete 
cc3f66def185: Pull complete 
4f837fda4b52: Pull complete 
Digest: sha256:aa449b3b778a3549a89dde21b35261516ecabd84891081b72000a8f94a457f3c
Status: Downloaded newer image for php:7.4

# root @ OrangeDeafening-VM in ~ [21:07:22] 
$ docker run -it --rm --name uu php:7.4 bash
root@ead2e727ca67:/# cd /var/www/
root@ead2e727ca67:/var/www# ls
html
root@ead2e727ca67:/var/www# cd html/
root@ead2e727ca67:/var/www/html# ls
root@ead2e727ca67:/var/www/html# php -d open_basedir=/var/www/html/ -r "file_put_contents('/file_put_contents', 'data');"
root@ead2e727ca67:/var/www/html# ls -al /file_put_contents 
-rw-r--r-- 1 root root 4 May  6 13:08 /file_put_contents
root@ead2e727ca67:/var/www/html# php -v
PHP 7.4.5 (cli) (built: Apr 23 2020 16:39:51) ( NTS )
Copyright (c) The PHP Group
Zend Engine v3.4.0, Copyright (c) Zend Technologies
root@ead2e727ca67:/var/www/html#

I also test it on Ubuntu 18.04, but the result is different. I am not sure if this bug only affects docker PHP or source-compiled PHP.
 [2020-05-06 15:15 UTC] cmb@php.net
-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:
 [2020-05-06 15:15 UTC] cmb@php.net
Thanks for checking!
 [2020-05-11 21:01 UTC] stas@php.net
Looks like on that image, if file doesn't exist, it creates it, but if it does exist, it returns error. 

Does not reproduce on my local machine. Weird.
 [2021-07-12 15:37 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2021-07-12 15:37 UTC] cmb@php.net
open_basedir bypasses are not considered to be security issues;
cf. <https://externals.io/message/105606>
and <https://externals.io/message/115406>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 30 14:01:28 2024 UTC