[PHP-DEV] Re: Pretty mammoth security issue with safe_mode_exec From: Adam Wright (adam <email protected>)
Date: 01/05/01

Not to be annoying (well, not entirely), but if \. is parsed out at the
lexical level, why does...

<?

if ("\." == ".")
  print "Same";
else
  print "Different";

echo "Different"?

adamw

----- Original Message -----
From: "Zeev Suraski" <zeev <email protected>>
To: "Adam Wright" <adam <email protected>>
Cc: "PHP Development" <php-dev <email protected>>
Sent: Friday, January 05, 2001 12:42 PM
Subject: Re: Pretty mammoth security issue with safe_mode_exec

> At 14:11 5/1/2001, Adam Wright wrote:
> >If you have safe mode enabled, and have a safe mode exec directory,
here's
> >how you can execute binarys outside of your safe mode exec directory!
> >
> >Normally...
> >
> >system("../../../../../bin/cp blah blip");
> >
> >would fail (as .. is blocked in _Exec (standard/exec.c)
> >
> >However...
> >
> >system("\.\./\.\./\.\./\.\./\.\./bin/cp blah blip");
> >
> >will work fine! This is because the .. check was performed before the
> >php_escape_shell_cmd in exec.c!
>
> That's very very odd, because as far as system() (or any function for that
> matter) is concerned, ".." and "\.\." is exactly the same thing. At the
> scanner level, all the way down in the Zend Engine, it converts the bogus
> "\.\." string (which has illegal escapes) to "..".
>
> Are you sure this is the symptom exactly?
>
> Zeev
>
>
> --
> Zeev Suraski <zeev <email protected>>
> CTO & co-founder, Zend Technologies Ltd. http://www.zend.com/
>
> 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>