Re: [PHP-DEV] (environ) safe_mode.c patch - segmentation fault From: Zeev Suraski (zeev <email protected>)
Date: 04/08/00

You should use sapi_getenv() to obtain a server variable. Server variables
may come from different places under different platforms. E.g., under CGI,
they come from the process environment; Under Apache, they come from the
Server variables table, and the same happens under most other
servers; sapi_getenv() abstracts this to a single transparent call.

Zeev

At 19:18 06/04/2000 , Paul Gregg wrote:

>Thanks Zeev,
>
>Ok, I couldn't figure out running httpd with the -X, gdb wouldn't accept the
>arg - but I did track down why it is crashing.
>
>It appears that in the safe mode code I don't have access to the apache
>environ() environment variables, e.g. SCRIPT_FILENAME, etc.
>SCRIPT_FILENAME is the one I want and reading mod_php4.c I also tried
>PATH_TRANSLATED, but that didn't work either.
>
>char *me;
>php_error(E_WARNING,"Calling getenv");
> me = getenv("SCRIPT_FILENAME");
> if (!me) {
> me = "";
> }
>php_error(E_WARNING,"Calling strlen...");
> i = byte_chr(me, 255, 0);
>php_error(E_WARNING,"i=%d, setting end to null.", i);
> me[i] ='\0';
>
>was null :-(
>
>(byte_chr is from DJB's byte_ libraries and essentially my use is the same as
>strlen())
>
>I added in some debugging and got:
>[Thu Apr 6 18:15:18 2000] [error] PHP Warning: Running php_checkuid on
>inc.txt: in /web/test.devcustserver.tibus.com/test.php3 on line 15
>[Thu Apr 6 18:15:18 2000] [error] PHP Warning: Calling getenv in
>/web/test.devcustserver.tibus.com/test.php3 on line 15
>[Thu Apr 6 18:15:18 2000] [error] PHP Warning: Calling strlen... in
>/web/test.devcustserver.tibus.com/test.php3 on line 15
>[Thu Apr 6 18:15:18 2000] [error] PHP Warning: i=0, setting end to null.
>in /web/test.devcustserver.tibus.com/test.php3 on line 15
>[Thu Apr 6 18:15:19 2000] [notice] child pid 82756 exit signal Bus error (10)
>
>
>So, How can I, in safe_mode.c get the contects of SCRIPT_FILENAME, i.e. the
>path/filename of the php3 script that caused the php_checkuid() checkuid
>function to be called.
>
>Thanks in advance.
>
>Paul Gregg.
>
>
>Zeev Suraski <zeev <email protected>> wrote:
> > You should try running it in single user mode (httpd -X), through gdb
> (make
> > sure you compile with debug symbols). Knowing where it crashes would be a
> > good start.
>
> > Zeev
>
> > At 01:02 04/04/2000 , Paul Gregg wrote:
>
> >>Reposted:
> >>
> >>I've now recoded this function to use DJBs byte_* string libraries (DJB
> >>of qmail fame). Again works perfectly in standalone C prog mode, but when
> >>I merge it into php (latest version 4 beta) it causes apache to segfault:
> >>[Mon Apr 3 18:49:11 2000] [error] PHP Warning: Running php_checkuid on
> >>inc.txt: in /web/test.devcustserver.tibus.com/test.php3 on line 11
> >>[Mon Apr 3 18:49:11 2000] [notice] child pid 10634 exit signal
> >>Segmentation fault (11)
> >>
> >>Can someone please provide me a dummy's pointer on where I can start to
> debug
> >>this and/or get it working. Once it runs I'd be happy if the
> powers-that-be
> >>wished to include this extra safe_mode option into the standard build (this
> >>makes Mass-hosting PHP on non-uid based apache systems viable).
> >>
> >>Thanks,
> >>
> >>Paul.
> >>
> >>Paul Gregg <pgregg-php-dev <email protected>> wrote:
> >> > Hi all,
> >>
> >> > It appears that safe mode is a much neglected aspect of PHP (been
> using PHP
> >> > since the FI days). One of the things I need to add to safe mode is
> >> > the restriction preventing script going above their own current
> directory
> >> > (regardless of UID).
> >>
> >> > To this end I wrote the following code which works perfectly in
> >> "standalone"
> >> > mode (i.e. a .c prog with the call in main()):
> >>
> >>
> >> > #include <stdio.h>
> >> > #include <stdlib.h>
> >>
> >>
> >> > /* checkDirs
> >> > *
> >> > * This function is a TIBUS modification to ensure that PHP scripts
> cannot
> >> > * access files outside of its own directory when running in SAFE_MODE.
> >> > *
> >> > */
> >>
> >> > int checkDirs( char *script, char *filename) {
> >> > char *scriptdir[255], *search[255];
> >> > int i=0;
> >> > int slash=47;
> >> > int checklength=0, result=1;
> >> > long pos=0, start=0;
> >>
> >> > for (i=0;i<255;i++) {
> >> > scriptdir[i]='\0';
> >> > search[i]='\0';
> >> > }
> >>
> >> > pos = strrchr(script, slash);
> >> > i = (pos - (long)script);
> >>
> >>
> >> > printf("1 -
> script=%s\n filename=%s\n i=%d \n",script,filename,i );
> >>
> >> > if (i<0 || i>255)
> >> > return 2;
> >>
> >> > i++;
> >> > strncpy(scriptdir,script,i);
> >> > scriptdir[i] = '\0';
> >>
> >> > if (i > (int)strlen(filename) ){
> >> > return 3;
> >> > }
> >>
> >> > result = strncmp( scriptdir, filename, i );
> >>
> >> > if( result == 0 )
> >> > return 0;
> >> > else
> >> > return 1;
> >> > }
> >>
> >>
> >>
> >> > The above function goes in the safe_mode.c file and in the checkuid
> >> function
> >> > right after the check to see if it is a URL:
> >>
> >> > me = getenv("SCRIPT_FILENAME");
> >> > if (checkDirs(me, fn) != 0){
> >> > php_error(E_WARNING, "SAFE MODE Restriction in effect.
> >> You canno
> >> > t access files outside of the current directory.")
> >> > ;
> >> > return(0);
> >> > }
> >>
> >>
> >>
> >> > As I said, in a standalone prog the code works properly, however when I
> >> patch
> >> > it into safe mode it gives a Segmentation fault (when trying to execute
> >> PHP).
> >> > [Tue Mar 28 18:51:32 2000] [notice] child pid 34160 exit signal
> >> Segmentation fau
> >> > lt (11)
> >> > [Tue Mar 28 18:51:35 2000] [notice] child pid 34161 exit signal
> >> Segmentation fau
> >> > lt (11)
> >>
> >> > Turning safemode off in the php.ini file, it doesn't cause an error,
> but I
> >> > obviously then don't have the protection I desire.
> >>
> >> > Rasmus? anyone?
> >>
> >> > Regards,
> >>
> >> > Paul.
> >>
> >> > --
> >> > Email pgregg at tibus.net | T: +44 (0) 1232
> >> 424190 | CLUB24 INTERNET |
> >> > Technical Director | F: +44 (0) 1232
> >> 424709 | Free Access |
> >> > The Internet Business Ltd | W:
> >> http://www.tibus.net | www.club24.co.uk |
> >>
> >> > --
> >> > PHP Development Mailing List <http://www.php.net/>
> >> > To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> >> > For additional commands, e-mail: php-dev-help <email protected>
> >> > To contact the list administrators, e-mail: php-list-admin <email protected>
> >>
> >>--
> >>Email pgregg at tibus.net | T: +44 (0) 1232
> 424190 | CLUB24 INTERNET |
> >>Technical Director | F: +44 (0) 1232
> 424709 | Free Access |
> >>The Internet Business Ltd | W:
> http://www.tibus.net | www.club24.co.uk |
> >>
> >>--
> >>PHP Development Mailing List <http://www.php.net/>
> >>To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> >>For additional commands, e-mail: php-dev-help <email protected>
> >>To contact the list administrators, e-mail: php-list-admin <email protected>
>
> > --
> > Zeev Suraski <zeev <email protected>> http://www.zend.com/ 

--
Zeev Suraski   <zeev <email protected>>  http://www.zend.com/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>