Setting save_path in httpd.conf under safemode gives SEGV
| Bug #33690 | Setting save_path in httpd.conf under safemode gives SEGV | ||||
|---|---|---|---|---|---|
| Submitted: | 2005-07-14 04:20 UTC | Modified: | 2005-07-26 00:40 UTC | ||
| From: | david at madole dot net | Assigned: | rasmus (profile) | ||
| Status: | Closed | Package: | Safe Mode/open_basedir | ||
| PHP Version: | 5CVS, 4CVS (2005-07-14) | OS: | * | ||
| Private report: | No | CVE-ID: | None | ||
[2005-07-14 04:20 UTC] david at madole dot net
Description:
------------
./configure \
--prefix=/usr/local/opt/php4-STABLE-200507140043 \
--with-apxs2=/usr/local/opt/httpd-2.0.54/bin/apxs \
--with-config-file-path=/etc \
--enable-debug
diff php.ini-dist /etc/php.ini
158c158
< safe_mode = Off
---
> safe_mode = On
<Directory /home/user/www>
PHP_Admin_Value open_basedir /home/user/
PHP_Admin_Value session.save_path /home/user/tmp/
</Directory>
On serving any page from /home/user/www, even plain HTML files not parsed by PHP, a SEGV is encountered in the Apache child process.
The error occurs in sapi/apache2handler/sapi_apache2.c line 173, where ctx is dereferenced while containing NULL (see very end of backtract below):
ctx->finfo.st_uid = ctx->r->finfo.user;
Removing the newly introduced OnUpdateSaveDir check in ext/session/session.c eliminates the problem.
Reproduce code:
---------------
<html><body>Test</body></html>
Expected result:
----------------
Display "Test" in browser.
Actual result:
--------------
#0 0x2851ba51 in php_apache_sapi_get_stat ()
at /usr/local/src/php4-STABLE-200507140043/sapi/apache2handler/sapi_apache2.c:173
#1 0x284d9122 in sapi_get_stat ()
at /usr/local/src/php4-STABLE-200507140043/main/SAPI.c:848
#2 0x28487317 in php_statpage ()
at /usr/local/src/php4-STABLE-200507140043/ext/standard/pageinfo.c:73
#3 0x28487383 in php_getuid ()
at /usr/local/src/php4-STABLE-200507140043/ext/standard/pageinfo.c:99
#4 0x284d5b99 in php_checkuid_ex (
filename=0xbfbfdff0 "/home/madole.net/tmp/", fopen_mode=0x0, mode=3,
flags=0) at /usr/local/src/php4-STABLE-200507140043/main/safe_mode.c:150
#5 0x284d5cda in php_checkuid (filename=0x81dc6a4 "/home/madole.net/tmp/",
fopen_mode=0x0, mode=3)
at /usr/local/src/php4-STABLE-200507140043/main/safe_mode.c:191
#6 0x28443c64 in OnUpdateSaveDir (entry=0x81cbf00,
new_value=0x81dc6a4 "/home/madole.net/tmp/", new_value_length=21,
mh_arg1=0x0, mh_arg2=0x28577900, mh_arg3=0x0, stage=16)
at /usr/local/src/php4-STABLE-200507140043/ext/session/session.c:123
#7 0x285101be in zend_alter_ini_entry (name=0x81106a0 "session.save_path",
name_length=18, new_value=0x8123698 "/home/madole.net/tmp/",
new_value_length=21, modify_type=4, stage=16)
at /usr/local/src/php4-STABLE-200507140043/Zend/zend_ini.c:232
#8 0x2851cc48 in apply_config (dummy=0x8123598)
at /usr/local/src/php4-STABLE-200507140043/sapi/apache2handler/apache_config.c:167
#9 0x2851c207 in php_handler (r=0x81f2050)
at /usr/local/src/php4-STABLE-200507140043/sapi/apache2handler/sapi_apache2.c:457
#10 0x0807a45a in ap_run_handler (r=0x81f2050) at config.c:152
#11 0x0807a825 in ap_invoke_handler (r=0x81f2050) at config.c:364
#12 0x08069a35 in ap_process_request (r=0x81f2050) at http_request.c:249
#13 0x08065411 in ap_process_http_connection (c=0x81ec128) at http_core.c:251
#14 0x08083c72 in ap_run_process_connection (c=0x81ec128) at connection.c:43
#15 0x08078c71 in child_main (child_num_arg=0) at prefork.c:610
#16 0x08078e65 in make_child (s=0x80b9760, slot=0) at prefork.c:650
#17 0x08078f2c in startup_children (number_to_start=5) at prefork.c:722
#18 0x080795af in ap_mpm_run (_pconf=0xbfbfec40, plog=0x80ed018, s=0xbfbfec48)
at prefork.c:941
#19 0x0807e74b in main (argc=6, argv=0xbfbfed38) at main.c:618
(gdb) print ctx
$1 = (php_struct *) 0x0
Patches
Pull Requests
History
AllCommentsChangesGit/SVN commits
[2005-07-14 08:53 UTC] sniper@php.net
[2005-07-25 19:32 UTC] david at madole dot net
[2005-07-26 00:40 UTC] rasmus@php.net