ID: 41899
Comment by: ian at onlineloop dot com
Reported By: geoffwa at cs dot rmit dot edu dot au
Status: Assigned
Bug Type: Streams related
Operating System: Solaris 10
PHP Version: 5.2.3
Assigned To: tony2001
New Comment:
I've tried the patch offered by Geoff. It seems to work just fine for
us too in the cvs version from today (php5.2-200709121030).
Previous Comments:
------------------------------------------------------------------------
[2007-09-12 10:38:34] ian at onlineloop dot com
Verified that this is still not working in 5.2.4.
We made a system available on a Sun E3500, partially for the purposes
of fixing this bug. The last login from anyone from the PHP team was on
5 July 2007.
Is there any time plan to fix this bug? We are running on Solaris 10
and are stuck on PHP 5.1.6 because of this problem, so the situation for
us is critical.
------------------------------------------------------------------------
[2007-08-14 15:21:39] wdierkes at 5dollarwhitebox dot org
I have verified that this is *NOT* fixed in the latest CVS snapshot.
Tested on Redhat Enterprise Linux 4 i386. Can we can an ETA on an
official patch?
------------------------------------------------------------------------
[2007-07-07 02:04:42] geoffwa at cs dot rmit dot edu dot au
No idea if this is correct but it fixes it:
diff -ur ./php5.2-200707060030/main/safe_mode.c
./php-5.2-snap/main/safe_mode.c
--- ./php5.2-200707060030/main/safe_mode.c 2007-01-13
00:30:58.000000000 +1100
+++ ./php-5.2-snap/main/safe_mode.c 2007-07-07 11:42:10.804129000
+1000
@@ -86,7 +86,8 @@
* If that fails, passthrough and check directory...
*/
if (mode != CHECKUID_ALLOW_ONLY_DIR) {
- expand_filepath(filename, path TSRMLS_CC);
+ // VCWD_STAT() can handle relative paths right?
+ strlcpy(path, filename, MAXPATHLEN);
ret = VCWD_STAT(path, &sb);
if (ret < 0) {
if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS)
{
diff -ur ./php5.2-200707060030/main/streams/plain_wrapper.c
./php-5.2-snap/main/streams/plain_wrapper.c
--- ./php5.2-200707060030/main/streams/plain_wrapper.c 2007-04-19
00:31:35.000000000 +1000
+++ ./php-5.2-snap/main/streams/plain_wrapper.c 2007-07-07
11:58:57.673891000 +1000
@@ -888,9 +888,10 @@
return NULL;
}
- if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
- return NULL;
- }
+ //if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
+ // return NULL;
+ //}
+ realpath = estrndup(filename, strlen(filename));
if (persistent) {
spprintf(&persistent_id, 0, "streams_stdio_%d_%s",
open_flags, realpath);
------------------------------------------------------------------------
[2007-07-06 16:04:30] geoffwa at cs dot rmit dot edu dot au
It's still broken in CVS (my bad - forgot to remove the workaround
patch we had).
virtual_file_ex() get called several times, with the last
invocation being:
virtual_file_ex(state = 0xffbfdf9c,
path = 0xffbfe018 "../b/file",
verify_path = (nil),
use_realpath = 1)
called from function expand_filepath
virtual_file_ex returns 1
Having written a rather grandoise summary of stepping through
virtual_file_ex() I think the problem might be in php_checkuid_ex().
------------------------------------------------------------------------
[2007-07-06 15:16:04] [EMAIL PROTECTED]
Thanks, but I need to do it myself in order to understand it.
I know quite well that realpath() on Solaris is badly broken, that's
known issue and Sun is not going to do anything about as far as I
understand.
The problem is that we need to invent a workaround for it so that we
don't break working realpath() implementations.
And to do that I need to reproduce it myself and investigate it using
GDB.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/41899
--
Edit this bug report at http://bugs.php.net/?id=41899&edit=1
