[2015-02-27 05:36 UTC] aserbulov at parallels dot com

patch
---
--- win32/registry.c	Wed Jan 21 10:23:27 2015
+++ win32/registry.c	Fri Feb 27 10:40:52 2015
@@ -261,7 +261,7 @@
 			     zend_hash_get_current_data_ex(ht, (void**)&data, &pos) == SUCCESS &&
 			     zend_hash_get_current_key_ex(ht, &index, &index_len, &num, 0, &pos) == HASH_KEY_IS_STRING;
 			     zend_hash_move_forward_ex(ht, &pos)) {
-				zend_alter_ini_entry(index, index_len, Z_STRVAL_PP(data), Z_STRLEN_PP(data), PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);
+				zend_alter_ini_entry(index, index_len, Z_STRVAL_PP(data), Z_STRLEN_PP(data), PHP_INI_USER, PHP_INI_STAGE_ACTIVATE);
 			}
 			break;
 		}

---

 [2015-02-27 05:43 UTC] stas@php.net

 [2015-02-27 05:43 UTC] stas@php.net

Could you please provide a reproduction scenario that demonstrates the problem?

 [2015-02-27 05:51 UTC] aserbulov at parallels dot com

 [2015-02-27 05:51 UTC] aserbulov at parallels dot com

You can set any PHP_INI_SYSTEM configuration option in "Per Directory Values" registry sub-key (for example: curl.cainfo) and it overrides the same option in php.ini

 [2015-02-27 14:45 UTC] ab@php.net

 [2015-02-27 14:45 UTC] ab@php.net

@aserbulov, thanks for reporting. I can confirm this behavior. However it rather looks like the documentation discrepancy. I see nowhere back in time it were working like like is documented but was always PHP_INI_SYSTEM, like since PHP4 :)

What where the actual security risk? People who can edit registry usually have enough privileges to do any possible harm to the system.

Thanks.

 [2015-03-02 03:42 UTC] aserbulov at parallels dot com

 [2015-03-02 03:42 UTC] aserbulov at parallels dot com

Server administrator can grant write access on "HKLM\Software\PHP\Per Directory Values\C\inetpub\some_website_wwwroot" registry key for some user, and this user can overrides PHP_INI_SYSTEM options.

 [2015-03-02 04:16 UTC] stas@php.net

 [2015-03-04 19:05 UTC] ab@php.net

 [2015-03-04 19:06 UTC] ab@php.net

Stas,

I've attached a patch suitable for 5.4/5/6. The @aserbulov's suggestion sounds plausible - it's documented also here http://php.net/manual/en/configuration.changes.modes.php , but was never working :)

Depending on the (shared) hosters, the access could be incapsulated within one account or even shrinked to the only readable mode for the registry. But we're on the safe side bringing the behavior inline with the doc as it's more robust against misconfigurations. The real php.ini is usually managed by admins only, the PHP_INI_USER is for users only.

Note that I've applied this to master already as part of a bigger fix, as there was some substantial breaches to the functionality. Unfortunately it's not easy to test as one has to prepare the registry manually. So when merging into master, please do just --strategy=ours.

Cheers.

 [2015-03-17 23:55 UTC] stas@php.net

 [2015-03-17 23:55 UTC] stas@php.net

The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.