 |
 |
 |
 |
|
|
Date: 09/29/02
- Next message: Yasuo Ohgaki: "[PHP-DOC] cvs: phpdoc /en/reference/pgsql/functions pg-copy-from.xml pg-copy-to.xml"
- Previous message: Jon Parise: "[PHP-DOC] cvs: phpdoc /en/reference/info/functions ini-set.xml"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ID: 16685
Updated by: iliaa <email protected>
Reported By: byg <email protected>
-Status: Open
+Status: Analyzed
-Bug Type: Scripting Engine problem
+Bug Type: Documentation problem
Operating System: Linux
PHP Version: 4.2.0
New Comment:
Unless you specify / at the end PHP will allow any path that will be
begin with a specified string. Meaning that if /a/b/c is specified then
/a/b/cde will be allowed. A note about this exists for nearly all
directory limiting function, however it is absent from the docs on the
safe_mode_include_dir option. Consquently, I am making this report a
documentation issue.
Previous Comments:
------------------------------------------------------------------------
[2002-04-18 12:32:11] byg <email protected>
I found that safe_mode_include_dir check is not correct.
Here's why:
resolved_name (the path in question) and ptr (a next directory from the
safe_mode_include_dir list) are compared so:
if (strncmp(ptr, resolved_name, strlen(ptr) ==0 )
let ptr="/var/www/script" and resolved_name="/var/www/scripts"
obviously, they will match though it's wrong.
It is necessary to add an extra check for trailing char
(valid one is either a slash or \0)
In fact, checking lengthes of those may save a bit CPU time
(especially with the long list).
Here's suggested patch (it also is available at
http://www.cf1.ru/~byg/patch/php/safe_mode_include_dir.patch
ftp://ftp.cf1.ru/pub/patches/php/safe_mode_include_dir.patch
):
--- main/fopen_wrappers.c.orig Thu Apr 18 21:40:57 2002
+++ main/fopen_wrappers.c Thu Apr 18 23:02:55 2002
@@ -233,6 +233,7 @@
char *ptr;
char *end;
char resolved_name[MAXPATHLEN];
+ int len;
/* Resolve the real path into resolved_name */
if (expand_filepath(path, resolved_name TSRMLS_CC) ==
NULL)
@@ -250,15 +251,20 @@
}
/* Check the path */
+ len = strlen(ptr);
+ if (strlen(resolved_name) >= len) {
#ifdef PHP_WIN32
- if (strncasecmp(ptr, resolved_name,
strlen(ptr)) == 0)
+ if (strncasecmp(ptr, resolved_name, len) ==
0)
#else
- if (strncmp(ptr, resolved_name, strlen(ptr)) ==
0)
+ if (strncmp(ptr, resolved_name, len) == 0)
#endif
- {
- /* File is in the right directory */
- efree(pathbuf);
- return 0;
+ {
+ if ((*(resolved_name + len) ==
DEFAULT_SLASH) || (*(resolved_name + len) == '\0')) {
+ /* File is in the right directory
*/
+ efree(pathbuf);
+ return 0;
+ }
+ }
}
ptr = end;
------------------------------------------------------------------------
-- Edit this bug report at http://bugs.php.net/?id=16685&edit=1-- PHP Documentation Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
- Next message: Yasuo Ohgaki: "[PHP-DOC] cvs: phpdoc /en/reference/pgsql/functions pg-copy-from.xml pg-copy-to.xml"
- Previous message: Jon Parise: "[PHP-DOC] cvs: phpdoc /en/reference/info/functions ini-set.xml"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]