severity 291410 normal thanks Hi Adam!
Adam Conrad [2005-01-21 9:45 +1000]: > Martin Pitt said: > > > > I fixed a pretty old vulnerability in PHP4's cURL module, see > > > > http://www.securitytracker.com/alerts/2004/Oct/1011984.html > > > > for details. The Ubuntu patch is at > > > > http://patches.ubuntu.com/patches/php4.curl-open_basedir.diff > > Have you seen the thread at [1]?... No, thanks for that pointer. I already knew that PHP's safe mode is not really safe, but I didn't expect that upstream actively ignores patches to at least improve it a little. > I haven't checked yet, but does your patch fully address the > different ways you can construct a "file://" URI (with and without > hostname, etc?) Erm, you can construct file:// URLs with a _hostname_? If that is possible, then my patch will probably forbid too much (since e. g. file://remotehost/path/to/my/file is probably not in open_basedir). The patch is really simple, if you have a file:// URL, then the "file://" prefix is stripped and the rest of the string (which is then the pure file path) is checked with php_check_open_basedir(). I tested this on my server (which happens to run php) and it works very well. > According to the above thread, upstream will never accept this, as they're > stubborn twits. (Well, the stubborn twits bit is my own estimate), but > I'll be happy to add a patch permanently to the Debian sources of both > php4 and php5, if we can make it as clean, simple, and foolproof as > possible. The patch is very simple and obvious (and clean), however, if there are such weird constructions like remote file URLs, it is incomplete. It was easy to write, and naively as I am I don't really see why fopen() should bother about open_basedir, and curl_init() shouldn't, so I just included it in a security update (which I had to do anyway) and the Ubuntu unstable branch. However, if upstream officially says that open_basedir, safe mode and all that is neither working nor supported anyway, then it might not have too much sense to maintain this patch. > I can attempt to ping upstream with said patch and convince someone to > commit it once it meets the above criteria (which it may already, I'll > check your patch later today -- thanks). Thanks for your efforts! I downgraded the bug a little, and if upstream refuses to fix this (at whatever API level they deem appropriate), just close this bug. Have a nice day! Martin -- Martin Pitt http://www.piware.de Ubuntu Developer http://www.ubuntulinux.org Debian GNU/Linux Developer http://www.debian.org
signature.asc
Description: Digital signature
