Re: [PHP-DEV] Bug #300: popen, when in safe mode, fails if you use a command with parameters From: Zeev Suraski (bourbon <email protected>)
Date: 04/22/98

I haven't thought this patch through, but I have a hunch it's not
complete. It doesn't handle space escapes ('\ ') in any way.

All in all, I'm pretty sure there are plenty of safe mode issues open in
3.0 - I'm not sure we should 'advertise' it as reliable (saying it's
reliable and being hit by a bugtraq article later, is worse than warning
people it's not really reliable quite yet (even though it increases
security to some extent).

Zeev

On 22 Apr 1998 monti <email protected> wrote:

> From: monti <email protected>
> Operating system: Linux
> PHP version: 3.0 Release Candidate 4
> PHP Bug Type: Other
> Bug description:
> If safe mode, the popen command search the '/' character to
> detect the presence of a path in the command to exec. This is
> OK, but has a problem; if you execute a command with parameters,
> for example:
> $fp=popen("ls dir/dir2","r")
>
> it will fail because it will replace "ls dir" by the path to the
> secure dir, trying to execute "dir2" from this.
>
> I wrote a path to correct this problem; this patch must be
> applied to file functions/file.c (where php3_popen function
> lives)
>
> The patch:
>
> --------------------- CUT HERE -------------------------
>
>
> 309c309,316
> < b = strrchr(arg1->value.str.val,'/');
> ---
> > b = strchr(arg1->value.str.val,' ');
> > if(!b) {
> > b = strrchr(arg1->value.str.val,'/');
> > } else {
> > c = arg1->value.str.val;
> > while((*b!='/')&&(b!=c)) b--;
> > if(b==c) b=NULL;
> > }
>
> --------------------- CUT HERE -------------------------
>
> 

-- 
-----------------------------------------------------
Zeev Suraski <zeev <email protected>>
For a PGP public key, finger bourbon <email protected>