#41899 [Com]: Can't open files with leading relative path of '..' and '..' is not readable

Wed, 12 Sep 2007 03:38:48 -0700 

 ID:               41899
 Comment by:       ian at onlineloop dot com
 Reported By:      geoffwa at cs dot rmit dot edu dot au
 Status:           Assigned
 Bug Type:         Streams related
 Operating System: Solaris 10
 PHP Version:      5.2.3
 Assigned To:      tony2001
 New Comment:

Verified that this is still not working in 5.2.4.

We made a system available on a Sun E3500, partially for the purposes
of fixing this bug.  The last login from anyone from the PHP team was on
5 July 2007.

Is there any time plan to fix this bug?  We are running on Solaris 10
and are stuck on PHP 5.1.6 because of this problem, so the situation for
us is critical.


Previous Comments:
------------------------------------------------------------------------

[2007-08-14 15:21:39] wdierkes at 5dollarwhitebox dot org

I have verified that this is *NOT* fixed in the latest CVS snapshot. 
Tested on Redhat Enterprise Linux 4 i386.  Can we can an ETA on an
official patch?

------------------------------------------------------------------------

[2007-07-07 02:04:42] geoffwa at cs dot rmit dot edu dot au

No idea if this is correct but it fixes it:
diff -ur ./php5.2-200707060030/main/safe_mode.c
./php-5.2-snap/main/safe_mode.c
--- ./php5.2-200707060030/main/safe_mode.c      2007-01-13
00:30:58.000000000 +1100
+++ ./php-5.2-snap/main/safe_mode.c     2007-07-07 11:42:10.804129000
+1000
@@ -86,7 +86,8 @@
         * If that fails, passthrough and check directory...
         */
        if (mode != CHECKUID_ALLOW_ONLY_DIR) {
-               expand_filepath(filename, path TSRMLS_CC);
+               // VCWD_STAT() can handle relative paths right?
+               strlcpy(path, filename, MAXPATHLEN);
                ret = VCWD_STAT(path, &sb);
                if (ret < 0) {
                        if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS)
{
diff -ur ./php5.2-200707060030/main/streams/plain_wrapper.c
./php-5.2-snap/main/streams/plain_wrapper.c
--- ./php5.2-200707060030/main/streams/plain_wrapper.c  2007-04-19
00:31:35.000000000 +1000
+++ ./php-5.2-snap/main/streams/plain_wrapper.c 2007-07-07
11:58:57.673891000 +1000
@@ -888,9 +888,10 @@
                return NULL;
        }

-       if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
-               return NULL;
-       }
+       //if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
+       //      return NULL;
+       //}
+       realpath = estrndup(filename, strlen(filename));

        if (persistent) {
                spprintf(&persistent_id, 0, "streams_stdio_%d_%s",
open_flags, realpath);

------------------------------------------------------------------------

[2007-07-06 16:04:30] geoffwa at cs dot rmit dot edu dot au

It's still broken in CVS (my bad - forgot to remove the workaround
patch we had).

virtual_file_ex() get called several times, with the last
invocation being:

virtual_file_ex(state = 0xffbfdf9c,
                path = 0xffbfe018 "../b/file",
                verify_path = (nil),
                use_realpath = 1)
                called from function expand_filepath
                virtual_file_ex returns 1

Having written a rather grandoise summary of stepping through
virtual_file_ex() I think the problem might be in php_checkuid_ex().

------------------------------------------------------------------------

[2007-07-06 15:16:04] [EMAIL PROTECTED]

Thanks, but I need to do it myself in order to understand it.

I know quite well that realpath() on Solaris is badly broken, that's
known issue and Sun is not going to do anything about as far as I
understand.
The problem is that we need to invent a workaround for it so that we
don't break working realpath() implementations.
And to do that I need to reproduce it myself and investigate it using
GDB.

------------------------------------------------------------------------

[2007-07-06 15:00:30] geoffwa at cs dot rmit dot edu dot au

Doing a bit of tracing of expand_filepath nets:

(from PHP-5.2.3)
expand_filepath(filepath = 0xffbff5f4 "test2.php",
                real_path = 0xffbfee20 "")
                called from function php_execute_script
expand_filepath returns 0xffbfee20 "/home/g/geoffwa/test/test2.php"
expand_filepath(filepath = 0xffbfdec0 "./a",
                real_path = 0xffbfe2c4 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe2c4 "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe108 "./a/b/file",
                real_path = 0xffbfe50c "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe50c "/home/g/geoffwa/test/a/b/file"
expand_filepath(filepath = 0xffbfe098 "./a",
                real_path = 0xffbfe49c "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe49c "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe028 "./a",
                real_path = 0xffbfe42c "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe42c "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe120 "./a/b",
                real_path = 0xffbfe524 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe524 "/home/g/geoffwa/test/a/b"
expand_filepath(filepath = 0xffbfdfd8 "../b/file",
                real_path = 0xffbfe3dc "")
                called from function php_checkuid_ex
expand_filepath returns (nil)

(from PHP 5.2 snap 200707060030)
expand_filepath(filepath = 0xffbff5ef "test2.php",
                real_path = 0xffbfee18 "")
                called from function php_execute_script
expand_filepath returns 0xffbfee18 "/home/g/geoffwa/test/test2.php"
expand_filepath(filepath = 0xffbfdeb8 "./a",
                real_path = 0xffbfe2bc "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe2bc "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe100 "./a/b/file",
                real_path = 0xffbfe504 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe504 "/home/g/geoffwa/test/a/b/file"
expand_filepath(filepath = 0xffbfe090 "./a",
                real_path = 0xffbfe494 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe494 "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe020 "./a",
                real_path = 0xffbfe424 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe424 "/home/g/geoffwa/test/a"
expand_filepath(filepath = 0xffbfe118 "./a/b",
                real_path = 0xffbfe51c "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe51c "/home/g/geoffwa/test/a/b"
expand_filepath(filepath = 0xffbfdfd0 "../b/file",
                real_path = 0xffbfe3d4 "")
                called from function php_checkuid_ex
expand_filepath returns 0xffbfe3d4 "../b/file"
expand_filepath(filepath = 0x53d1c0 "../b/file",
                real_path = (nil))
                called from function _php_stream_fopen
expand_filepath returns 0x53d398 "../b/file"

------------------------------------------------------------------------

The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
    http://bugs.php.net/41899

-- 
Edit this bug report at http://bugs.php.net/?id=41899&edit=1

Reply via email to