Edit report at http://bugs.php.net/bug.php?id=52624&edit=1

 ID:                 52624
 Comment by:         alexis dot olivier at unicaen dot fr
 Reported by:        hirad dot navid at t-systems dot at
 Summary:            tempnam() in SAFE Mode
 Status:             Open
 Type:               Bug
 Package:            Unknown/Other Function
 Operating System:   RHEL 5
 PHP Version:        5.2.14
 Block user comment: N
 Private report:     N

 New Comment:

Hello everybody,



We got the same case with open_basedir restriction.



The users have no access to /tmp (they have their own tmp dir). When
calling tempnam('/tmp', 'tempname'), The open_basedir restriction takes
effect and creation of the file is forbidden.



But, when calling tempnam('path_that_doesnt_exist', 'tempname'), the
function takes /tmp in fallback and file is created (overriding the
open_basedir restriction). The file can't be written (open_basedir
restriction), but this bug can be used to overflow tmp directory.



I think it lacks a test in the function to protect from writing out of
open_basedir restriction.



Test script:

------------

With open_basedir not including /tmp : 

<?php

// This gives a warning

echo tempnam("/tmp", "prefix_");

// This creates a file in /tmp

echo tempnam("directory_that_not_exists", "prefix_");

?>


Previous Comments:
------------------------------------------------------------------------
[2010-08-17 14:39:52] hirad dot navid at t-systems dot at

Description:
------------
Dear php Team,



We are using php 5.2.13 and Safe_mod is ON.



we have a problem using tempnam, at first we had tempnam('',tempfile); 

This did not work - error "can not access /tmp



Later I investigated and have written the testscript and have following
behavior. Attention script must be owned by non root user



the script with 7th line $tmp_name = tempnam ( 'tmp', 'tempname' );
works fine also with safe_mode



when i change it to $tmp_name = tempnam ( '/tmp', 'tempname' ); a
safe_mode restriction takes effect (the one with compares UID/GID and
puts out 

Warning: tempnam() [function.tempnam]: SAFE MODE Restriction in effect.
The script whose uid/gid is 506/506 is not allowed to access /tmp owned
by uid/gid 0/0 in /home/httpd/html/default/tempfile.php on line 7



but why does it work without the beginning '/'?

Can you clarify this behavior please? and another issuse is that when i
try with $tmp_name = tempnam ( '/tmp', 'tempname' ); it does not make a
diference putting /tmp to openbasedir or safe_mode_includedir it dies
not work.





I have also read the changelog and have found that since PHP 5.2.12 some
issues with tempname and safe_mode have been fixed - there was a bug
that tempnam ignores safe_mode. And this correct because i tested with
php 5.2.11 and it worked with /tmp also. Can you tell me ehat exactly is
changed saince version 5.2.12?







Test script:
---------------
<?PHP



$xx = sys_get_temp_dir();

echo $xx . '<br>';

for ( $x = 0; $x <= 5; $x++ )

{

  $tmp_name = tempnam ( 'tmp', 'tempname' );

  echo $tmp_name . '<br>';

}

$str = 'standing in a tempfile';

$tmp_file = fopen ( $tmp_name, 'w' );

fputs ( $tmp_file, $str );

fclose ( $tmp_file );

$fp = fopen ( $tmp_name, 'r' );

$str = fgets ( $fp, 50 );

fclose ( $fp );

echo $str;

?>

Expected result:
----------------
script above works fine also in safe mode change 7th line from

$tmp_name = tempnam ( 'tmp', 'tempname' );

to

$tmp_name = tempnam ( '/tmp', 'tempname' ); bringe a safe_mode
restriction which is also ok, but why does it work without / and why
does it not make a diference putting /tmp to openbasedir or
safe_mode_include_dir





------------------------------------------------------------------------



-- 
Edit this bug report at http://bugs.php.net/bug.php?id=52624&edit=1

Reply via email to