From: tautolog at gmail dot com
Operating system: DragonFly BSD
PHP version: 5.2.5
PHP Bug Type: Filesystem function related
Bug description: open_basedir resolves links on link-specific operations
Description:
------------
This is not a security issue. It is just a functionality issue.
open_basedir resolves links on link-specific operations, getting in the
way of expected behavior.
I don't think that the ability to read a link target (the target itself,
not the file the target resolves to) within the basedir is a security
concern because it is no different than the ability to read a config file
which refers to a file outside of the basedir.
In my thinking about this issue, I am viewing a symbolic link as just an
alternate way to associate data with a file that just happens to have
common support for treating the data as a target.
See my reproduce code. Clearly, "/tmp/testlink" is in the allowed path of
"home/ben/public_html:/tmp", but since it resolves to "/test", it is not
being allowed.
The following system calls (and therefore PHP functions) do not follow
symlinks, according to symlink(7) on my BSD system:
lchown()
lstat()
readlink()
rename()
rmdir()
unlink()
remove() (just an alias to unlink which is not in PHP)
I tested all of them. All of them have this issue.
rmdir() is an odd one. According to the manual, if you use it on a
symbolic link, it should return ENOTDIR.
$ mkdir /tmp/link_target
$ ln -s /tmp/link_target /tmp/testlink
$ rmdir /tmp/testlink
rmdir: /tmp/testlink: Not a directory
I have been using symbolic links to back a fast, simple, global, atomic,
persistent hash, where the link filename is the key and the link value is
the value. I have been running the application with open_basedir set to try
to find compatibility problems with it, and found this issue. To work
around it, I prefix all values with "./" now.
However, there are other cases that cannot be worked around. For example,
a php file manager would not even be able to tell whether the file were a
link, let alone read its value or delete it.
I have some interest in working on a patch. If you agree that it is
desirable for open_basedir to not resolve links in some cases, I may be
able to provide a patch.
Just in case, I also tested the case where a link is outside open_basedir,
but it resolves within open_basedir, and it blocked that, which I agree
should be the expected behavior.
Reproduce code:
---------------
Add /tmp to open_basedir
$ ln -s /test /tmp/testlink
<?php echo is_link("/tmp/testlink") ; ?>
Expected result:
----------------
1
Actual result:
--------------
Warning: is_link(): open_basedir restriction in effect.
File(/tmp/testlink) is not within the allowed path(s):
(/home/ben/public_html:/tmp) in
/home/ben/public_html/cvs/app-modernbill-admin/include/lib-action/migrate/-
on line 1
--
Edit bug report at http://bugs.php.net/?id=44271&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=44271&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=44271&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=44271&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=44271&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=44271&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=44271&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=44271&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=44271&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=44271&r=support
Expected behavior: http://bugs.php.net/fix.php?id=44271&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=44271&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=44271&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=44271&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=44271&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=44271&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=44271&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=44271&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=44271&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=44271&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=44271&r=mysqlcfg
