php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #81339 NTFS streams on Windows are partially supported
Submitted: 2021-08-07 10:22 UTC Modified: 2021-08-17 10:13 UTC
Votes:2
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: phith0n dot ph2f at gmail dot com Assigned:
Status: Verified Package: *Directory/Filesystem functions
PHP Version: 7.4 OS: Windows
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-08-07 10:22 UTC] phith0n dot ph2f at gmail dot com
Description:
------------
I am using the PHP built-in server as the development web server on Windows. Recently I found a bug, sometimes a vulnerability, which is able to expose the PHP scripts' source code in the web folder.

NTFS stream is supported on Windows, reference to this document: <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3>. So use info.php::$DATA to open and read the file info.php is valid, which is bypass the extension dispatch in built-in web server:

```c
if (client->request.ext_len != 3
 || (ext[0] != 'p' && ext[0] != 'P') || (ext[1] != 'h' && ext[1] != 'H') || (ext[2] != 'p' && ext[2] != 'P')
 || !client->request.path_translated) {
	is_static_file = 1;
}
```

Some related bugs are:

- https://bugs.php.net/77932
- https://bugs.php.net/71559 

Test script:
---------------
Run PHP built-in server on Windows NTFS filesystem:

```
php -S localhost:9090
```

Put a PHP script info.php in the web folder:

```
<?php
phpinfo();
```

Browse the `http://localhost:9090/info.php::$DATA` from browser or CURL.

Expected result:
----------------
A "404 not found" error is raised.

Actual result:
--------------
Source code of info.php is exposed: <https://imgur.com/G9tBTHy>

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-08-07 10:44 UTC] cmb@php.net
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2021-08-07 10:44 UTC] cmb@php.net
Since the built-in Webserver is for *development* purposes only,
exposing the source code is not a vulnerability by definition.

However, that stream stuff might open other vulnerabilities, so
I'm tentatively switching to sec bug while this is being
investigated closer.

Thank you for reporting this issue!
 [2021-08-07 14:05 UTC] cmb@php.net
-Type: Security +Type: Bug -Assigned To: +Assigned To: cmb
 [2021-08-07 14:05 UTC] cmb@php.net
I don't see an immediate security issue in php-src.

However, there are inconsistencies regarding the default and
alternate file and dir streams.  While file_exists() and friends
report any such stream as not accessible (i.e. they return false),
and realpath() returns false as well, reading, writing and
statting these streams is fully supported.  copy($filename) (only
copies the file's default stream) and move($filename) (copies the
file with all streams), behave as expected.

Furthermore, pathinfo() and friends regard the suffix as part of
the file extension, what is not really correct, and *might* cause
issues in userland code, which is not aware of NTFS streams.

Disabling support for the streams would solve all that, but
besides the obvious BC break, would also remove a potentially
desired feature.  So I think, we should prominently document this
issue, and maybe fix the issue regarding the built-in Webserver.
 [2021-08-17 10:13 UTC] cmb@php.net
-Summary: PHP source code exposed on Windows +Summary: NTFS streams on Windows are partially supported -Status: Assigned +Status: Verified -Type: Bug +Type: Documentation Problem -Package: Built-in web server +Package: *Directory/Filesystem functions -PHP Version: 8.0.9 +PHP Version: 7.4 -Assigned To: cmb +Assigned To:
 [2021-08-17 10:13 UTC] cmb@php.net
To wrap this up, I reclassify as a filesystem related doc problem.
The built-in Webserver case is special, but since this is a
*development* tool, there is no security issue, and only the
scenarios described above are possible (for instance, the partial
NTFS stream support doesn't allow for path traversal).

For the general case, we should just document that accessing NTFS
streams via the filesystem functions exhibits undefined behavior.
This leaves some opportunity to later revise this, and to either
fully support those, or to not support those at all.  However, I'm
very unsure *where* to document this; adding a note to all
relevant functions appears to be too much.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Oct 16 09:03:33 2021 UTC