PHP :: Bug #26653 :: open_basedir bug
| Bug #26653 | open_basedir bug | ||||
|---|---|---|---|---|---|
| Submitted: | 2003-12-17 12:12 UTC | Modified: | 2005-01-31 23:24 UTC | ||
| From: | eddyleo777 at hotmail dot com | Assigned: | |||
| Status: | Closed | Package: | Safe Mode/open_basedir | ||
| PHP Version: | 4CVS, 5CVS | OS: | Win32 | ||
| Private report: | No | CVE-ID: | None | ||
[2003-12-17 12:12 UTC] eddyleo777 at hotmail dot com
Description:
------------
test.php
<?php
fopen("c:/apache/user_security/passwd", "r");
?>
php.ini
open_basedir = "c:\apache\user\" ;work
open_basedir = "c:/apache/user" ;it does not work
open_basedir = "c:/apache/user/" ;it does not work
Reproduce code:
---------------
php4-200312171430/main/fopen_wrappers.c on line 133
/* Handler for basedirs that end with a / */
if (basedir[strlen(basedir)-1] == PHP_DIR_SEPARATOR) {
resolved_basedir_len = strlen(resolved_basedir);
resolved_basedir[resolved_basedir_len] = '/';
resolved_basedir[++resolved_basedir_len] = '\0';
} else {
resolved_basedir_len = strlen(resolved_basedir);
}
if (path[strlen(path)-1] == PHP_DIR_SEPARATOR) {
resolved_name_len = strlen(resolved_name);
resolved_name[resolved_name_len] = '/';
resolved_name[++resolved_name_len] = '\0';
}
Expected result:
----------------
the introduced solution not work.
interpret this possible solution please.
php4-200312171430/main/fopen_wrappers.c on line 133
/* Handler for basedirs that end with a / */
if (???is_dir???(resolved_basedir)) {
resolved_basedir_len = strlen(resolved_basedir);
resolved_basedir[resolved_basedir_len] =PHP_DIR_SEPARATOR;
resolved_basedir[++resolved_basedir_len] = '\0';
} else {
resolved_basedir_len = strlen(resolved_basedir);
}
if (???is_dir???(resolved_name)) {
resolved_name_len = strlen(resolved_name);
resolved_name[resolved_name_len] = PHP_DIR_SEPARATOR;
resolved_name[++resolved_name_len] = '\0';
}
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2004-02-09 17:58 UTC] scottmacvicar at ntlworld dot com
When the value in php.ini has no trailing slash or a slash which differs from the value of PHP_DIR_SEPARATOR the condition on line 135 against the path fails, causing the function not to add the trailing slash to the resolved_basedir value. I also noticed that if the condition was to work it would only append / to the resolved_basedir / resolved_name when it should in fact append PHP_DIR_SEPARATOR. Patch --- diff -u fopen_wrappers.c fopen_wrappers.c.patched --- fopen_wrappers.c 2004-02-09 22:47:35.000000000 +0000 +++ fopen_wrappers.c.patched 2004-02-09 22:49:14.000000000 +0000 @@ -132,15 +132,15 @@ if ((expand_filepath(path, resolved_name TSRMLS_CC) != NULL) && (expand_filepath(local_open_basedir, resolved_basedir TSRMLS_CC) != NULL)) { /* Handler for basedirs that end with a / */ resolved_basedir_len = strlen(resolved_basedir); - if (basedir[strlen(basedir)-1] == PHP_DIR_SEPARATOR && resolved_basedir[resolved_basedir_len -1] != PHP_DIR_SEPARATOR) { - resolved_basedir[resolved_basedir_len] = '/'; + if (resolved_basedir[resolved_basedir_len -1] != PHP_DIR_SEPARATOR) { + resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR; resolved_basedir[++resolved_basedir_len] = '\0'; } if (path[strlen(path)-1] == PHP_DIR_SEPARATOR) { resolved_name_len = strlen(resolved_name); if (resolved_name[resolved_name_len - 1] != PHP_DIR_SEPARATOR) { - resolved_name[resolved_name_len] = '/'; + resolved_name[resolved_name_len] = PHP_DIR_SEPARATOR; resolved_name[++resolved_name_len] = '\0'; } }[2004-02-10 11:03 UTC] iliaa@php.net