|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79980 require_once can include a file twice via symlink loops
Submitted: 2020-08-16 05:18 UTC Modified: -
Avg. Score:3.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: i at littlefisher dot me Assigned:
Status: Open Package: *Directory/Filesystem functions
PHP Version: 7.2.33 OS: Ubuntu18.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: i at littlefisher dot me
New email:
PHP Version: OS:


 [2020-08-16 05:18 UTC] i at littlefisher dot me
Normally, when we include a file via `require_once()` which has included before, PHP will prevent this behavior.

But when we set the file path to a symbol link, PHP will be fooled. An example in Test script as follows can demonstrate it. And assume there is some secret in `config.php`.

We can pass our payload to `content` query parameter, and then the PHP will resolve the file path to '/proc/24273/root/proc/self/root/var/www/html/config.php'.

Eventually, the `require_once` bypassed. We got the base64-encoded content of `config.php`.



Test script:
/* index.php */
if(isset($_GET['content'])) {
    $content = $_GET['content'];
/* config.php */
$MYSQL_PORT = 3306;
$MYSQL_USERNAME = 'admin';
$MYSQL_PASSWORD = 'admin';

Expected result:
Excepted result is `config.php` cannot be included twice by the recursive symbollink.


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Mar 09 08:01:24 2021 UTC