ID: 41899
Comment by: ian at onlineloop dot com
Reported By: geoffwa at cs dot rmit dot edu dot au
Status: Assigned
Bug Type: Streams related
Operating System: Solaris 10
PHP Version: 5.2.3
Assigned To: tony2001
New Comment:
Unfortunately we are not in a position to wither wait for PHP6 nor
immediately migrate to it when it does come out. We have too many
users with too many scripts on our server, and telling over 800
people that they have to adjust their scripts in less than 6 months
just doesn't work here :-(
With the continuing failure to fix this bug, we are left in a very
uncomfortable situation, either continue with the security hole
loaded 5.1.6, or apply the patch you offered. No one from the PHP
project has logged into the system we set up for them on an E3500 since
5 July 2007 either, so I'm really left wondering about the seriousness
there is to actually fix this bug.
Anyway, I have seen from the source for PHP that realpath is
definately not a function from Sun. realplath is all from the PHP
project itself, so the attempt to shovel off the blame to Sun (post
from 6 Jul 3:16pm) is not justifiable. Besides, this all worked just
fine up until PHP 5.2.0 came out...
Previous Comments:
------------------------------------------------------------------------
[2007-09-13 01:56:00] geoffwa at cs dot rmit dot edu dot au
I'll stress again that while the patch may work, I'm not sure if it's
'correct' or not, mainly because I have no idaa what php_checkuid_ex()
is supposed to return, safe_mode-isms like open_basedir may need it.
I just traced the execution of the offending PHP script repeatedly for
the failure case, and deduced that the expand_filepath() call in
php_checkuid_ex() that I've removed in the patch was returning an empty
path under similar conditions to where a getcwd() call would fail.
The actual path blatting appeared to occur in virtual_file_ex(), and we
produced a separate patch which completely short-circuited this function
and also made the all test conditions work.
Given that PHP6 is removing safe_mode completely, I imagine this
problem will hopefully be fixed then :)
------------------------------------------------------------------------
[2007-09-12 11:53:14] ian at onlineloop dot com
I've tried the patch offered by Geoff. It seems to work just fine for
us too in the cvs version from today (php5.2-200709121030).
------------------------------------------------------------------------
[2007-09-12 10:38:34] ian at onlineloop dot com
Verified that this is still not working in 5.2.4.
We made a system available on a Sun E3500, partially for the purposes
of fixing this bug. The last login from anyone from the PHP team was on
5 July 2007.
Is there any time plan to fix this bug? We are running on Solaris 10
and are stuck on PHP 5.1.6 because of this problem, so the situation for
us is critical.
------------------------------------------------------------------------
[2007-08-14 15:21:39] wdierkes at 5dollarwhitebox dot org
I have verified that this is *NOT* fixed in the latest CVS snapshot.
Tested on Redhat Enterprise Linux 4 i386. Can we can an ETA on an
official patch?
------------------------------------------------------------------------
[2007-07-07 02:04:42] geoffwa at cs dot rmit dot edu dot au
No idea if this is correct but it fixes it:
diff -ur ./php5.2-200707060030/main/safe_mode.c
./php-5.2-snap/main/safe_mode.c
--- ./php5.2-200707060030/main/safe_mode.c 2007-01-13
00:30:58.000000000 +1100
+++ ./php-5.2-snap/main/safe_mode.c 2007-07-07 11:42:10.804129000
+1000
@@ -86,7 +86,8 @@
* If that fails, passthrough and check directory...
*/
if (mode != CHECKUID_ALLOW_ONLY_DIR) {
- expand_filepath(filename, path TSRMLS_CC);
+ // VCWD_STAT() can handle relative paths right?
+ strlcpy(path, filename, MAXPATHLEN);
ret = VCWD_STAT(path, &sb);
if (ret < 0) {
if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS)
{
diff -ur ./php5.2-200707060030/main/streams/plain_wrapper.c
./php-5.2-snap/main/streams/plain_wrapper.c
--- ./php5.2-200707060030/main/streams/plain_wrapper.c 2007-04-19
00:31:35.000000000 +1000
+++ ./php-5.2-snap/main/streams/plain_wrapper.c 2007-07-07
11:58:57.673891000 +1000
@@ -888,9 +888,10 @@
return NULL;
}
- if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
- return NULL;
- }
+ //if ((realpath = expand_filepath(filename, NULL TSRMLS_CC)) ==
NULL) {
+ // return NULL;
+ //}
+ realpath = estrndup(filename, strlen(filename));
if (persistent) {
spprintf(&persistent_id, 0, "streams_stdio_%d_%s",
open_flags, realpath);
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/41899
--
Edit this bug report at http://bugs.php.net/?id=41899&edit=1
