Re: [PHP-DEV] (environ) safe_mode.c patch - segmentation fault From: Paul Gregg (pgregg-php-dev <email protected>)
Date: 04/06/00

Thanks Zeev,

Ok, I couldn't figure out running httpd with the -X, gdb wouldn't accept the
arg - but I did track down why it is crashing.

It appears that in the safe mode code I don't have access to the apache
environ() environment variables, e.g. SCRIPT_FILENAME, etc.
SCRIPT_FILENAME is the one I want and reading mod_php4.c I also tried
PATH_TRANSLATED, but that didn't work either.

char *me;
php_error(E_WARNING,"Calling getenv");
        me = getenv("SCRIPT_FILENAME");
        if (!me) {
          me = "";
        }
php_error(E_WARNING,"Calling strlen...");
        i = byte_chr(me, 255, 0);
php_error(E_WARNING,"i=%d, setting end to null.", i);
        me[i] ='\0';

was null :-(

(byte_chr is from DJB's byte_ libraries and essentially my use is the same as
strlen())

I added in some debugging and got:
[Thu Apr 6 18:15:18 2000] [error] PHP Warning: Running php_checkuid on inc.txt: in /web/test.devcustserver.tibus.com/test.php3 on line 15
[Thu Apr 6 18:15:18 2000] [error] PHP Warning: Calling getenv in /web/test.devcustserver.tibus.com/test.php3 on line 15
[Thu Apr 6 18:15:18 2000] [error] PHP Warning: Calling strlen... in /web/test.devcustserver.tibus.com/test.php3 on line 15
[Thu Apr 6 18:15:18 2000] [error] PHP Warning: i=0, setting end to null. in /web/test.devcustserver.tibus.com/test.php3 on line 15
[Thu Apr 6 18:15:19 2000] [notice] child pid 82756 exit signal Bus error (10)

So, How can I, in safe_mode.c get the contects of SCRIPT_FILENAME, i.e. the
path/filename of the php3 script that caused the php_checkuid() checkuid
function to be called.

Thanks in advance.

Paul Gregg.

Zeev Suraski <zeev <email protected>> wrote:
> You should try running it in single user mode (httpd -X), through gdb (make
> sure you compile with debug symbols). Knowing where it crashes would be a
> good start.

> Zeev

> At 01:02 04/04/2000 , Paul Gregg wrote:

>>Reposted:
>>
>>I've now recoded this function to use DJBs byte_* string libraries (DJB
>>of qmail fame). Again works perfectly in standalone C prog mode, but when
>>I merge it into php (latest version 4 beta) it causes apache to segfault:
>>[Mon Apr 3 18:49:11 2000] [error] PHP Warning: Running php_checkuid on
>>inc.txt: in /web/test.devcustserver.tibus.com/test.php3 on line 11
>>[Mon Apr 3 18:49:11 2000] [notice] child pid 10634 exit signal
>>Segmentation fault (11)
>>
>>Can someone please provide me a dummy's pointer on where I can start to debug
>>this and/or get it working. Once it runs I'd be happy if the powers-that-be
>>wished to include this extra safe_mode option into the standard build (this
>>makes Mass-hosting PHP on non-uid based apache systems viable).
>>
>>Thanks,
>>
>>Paul.
>>
>>Paul Gregg <pgregg-php-dev <email protected>> wrote:
>> > Hi all,
>>
>> > It appears that safe mode is a much neglected aspect of PHP (been using PHP
>> > since the FI days). One of the things I need to add to safe mode is
>> > the restriction preventing script going above their own current directory
>> > (regardless of UID).
>>
>> > To this end I wrote the following code which works perfectly in
>> "standalone"
>> > mode (i.e. a .c prog with the call in main()):
>>
>>
>> > #include <stdio.h>
>> > #include <stdlib.h>
>>
>>
>> > /* checkDirs
>> > *
>> > * This function is a TIBUS modification to ensure that PHP scripts cannot
>> > * access files outside of its own directory when running in SAFE_MODE.
>> > *
>> > */
>>
>> > int checkDirs( char *script, char *filename) {
>> > char *scriptdir[255], *search[255];
>> > int i=0;
>> > int slash=47;
>> > int checklength=0, result=1;
>> > long pos=0, start=0;
>>
>> > for (i=0;i<255;i++) {
>> > scriptdir[i]='\0';
>> > search[i]='\0';
>> > }
>>
>> > pos = strrchr(script, slash);
>> > i = (pos - (long)script);
>>
>>
>> > printf("1 - script=%s\n filename=%s\n i=%d \n",script,filename,i );
>>
>> > if (i<0 || i>255)
>> > return 2;
>>
>> > i++;
>> > strncpy(scriptdir,script,i);
>> > scriptdir[i] = '\0';
>>
>> > if (i > (int)strlen(filename) ){
>> > return 3;
>> > }
>>
>> > result = strncmp( scriptdir, filename, i );
>>
>> > if( result == 0 )
>> > return 0;
>> > else
>> > return 1;
>> > }
>>
>>
>>
>> > The above function goes in the safe_mode.c file and in the checkuid
>> function
>> > right after the check to see if it is a URL:
>>
>> > me = getenv("SCRIPT_FILENAME");
>> > if (checkDirs(me, fn) != 0){
>> > php_error(E_WARNING, "SAFE MODE Restriction in effect.
>> You canno
>> > t access files outside of the current directory.")
>> > ;
>> > return(0);
>> > }
>>
>>
>>
>> > As I said, in a standalone prog the code works properly, however when I
>> patch
>> > it into safe mode it gives a Segmentation fault (when trying to execute
>> PHP).
>> > [Tue Mar 28 18:51:32 2000] [notice] child pid 34160 exit signal
>> Segmentation fau
>> > lt (11)
>> > [Tue Mar 28 18:51:35 2000] [notice] child pid 34161 exit signal
>> Segmentation fau
>> > lt (11)
>>
>> > Turning safemode off in the php.ini file, it doesn't cause an error, but I
>> > obviously then don't have the protection I desire.
>>
>> > Rasmus? anyone?
>>
>> > Regards,
>>
>> > Paul.
>>
>> > --
>> > Email pgregg at tibus.net | T: +44 (0) 1232
>> 424190 | CLUB24 INTERNET |
>> > Technical Director | F: +44 (0) 1232
>> 424709 | Free Access |
>> > The Internet Business Ltd | W:
>> http://www.tibus.net | www.club24.co.uk |
>>
>> > --
>> > PHP Development Mailing List <http://www.php.net/>
>> > To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
>> > For additional commands, e-mail: php-dev-help <email protected>
>> > To contact the list administrators, e-mail: php-list-admin <email protected>
>>
>>--
>>Email pgregg at tibus.net | T: +44 (0) 1232 424190 | CLUB24 INTERNET |
>>Technical Director | F: +44 (0) 1232 424709 | Free Access |
>>The Internet Business Ltd | W: http://www.tibus.net | www.club24.co.uk |
>>
>>--
>>PHP Development Mailing List <http://www.php.net/>
>>To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
>>For additional commands, e-mail: php-dev-help <email protected>
>>To contact the list administrators, e-mail: php-list-admin <email protected>

> --
> Zeev Suraski <zeev <email protected>> http://www.zend.com/ 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>