Edit report at https://bugs.php.net/bug.php?id=62457&edit=1
ID: 62457
Comment by: Sjon at hortensius dot net
Reported by: mybugs at 163 dot com
Summary: Excuse me, is this a bug?
Status: Open
Type: Bug
Package: Safe Mode/open_basedir
Operating System: Microsoft Windows Server 2003 R2
PHP Version: 5.4.4
Block user comment: N
Private report: N
New Comment:
Aha, so your report is that open_basedir does not restrict the binaries that
you
can run using the various methods of system-calls? Because that is not a bug :)
open_basedir, by design, cannot limit the paths that system-calls will
eventually
be able to reach since it has no control over that. This was previously
reported
as #55761
Also, the next time you report a bug, a more descriptive title would be
appreciated!
Previous Comments:
------------------------------------------------------------------------
[2012-07-01 11:30:20] mybugs at 163 dot com
I 'm sorry . I set the wrong position by "Actual result" and "Expected result"
at the time of submission .
It should be the"Actual result"is the "Expected result",and the "Expected
result" is the "Actual result"
This problem is that it can restrict path but at the same time it also can
perform the other program except the path.
It is the significant security hidden danger.
fix
php.ini
disable_functions=system
[PATH="D:/Web/test.com/public"]
open_basedir=D:/Web/test.com/public/
------------------------------------------------------------------------
[2012-07-01 09:58:28] Sjon at hortensius dot net
What if you remove all '@' from your script, what are the error-messages that
appear? Because with those added, all errors are hidden.
------------------------------------------------------------------------
[2012-07-01 06:43:48] mybugs at 163 dot com
php.ini
disable_functions =system
[PATH= "D:/Web/test.com/public"]
open_basedir
------------------------------------------------------------------------
[2012-07-01 06:42:05] mybugs at 163 dot com
Description:
------------
php.ini
[PATH= "D:/Web/test.com/public"]
open_basedir ="D:/Web/test.com/public/"
Test script:
---------------
<?php
echo 'open_basedir:'.ini_get('open_basedir').'<br />'; //D:\WEB\TEST_COM\
$cmd = 'ping qq.com';
echo execute('system',$cmd);
echo execute('passthru',$cmd);
echo execute('shell_exec',$cmd);
echo execute('exec',$cmd);
echo execute('popen',$cmd);
function execute($type,$cfe) {
$data = '';
if ($cfe) {
if($type=='system') {
@ob_start();
@system($cfe);
$data = @ob_get_contents();
@ob_end_clean();
} elseif($type=='passthru') {
@ob_start();
@passthru($cfe);
$data = @ob_get_contents();
@ob_end_clean();
} elseif($type=='shell_exec') {
$data = @shell_exec($cfe);
} elseif($type=='exec') {
@exec($cfe,$data);
$data = join("\n",$data);
} elseif($type=='popen') {
$f = @popen($cfe,"r");
while(!@feof($f)) {
$data .= @fread($f,1024);
}
@pclose($f);
}
}
return $type.'----------<br />'.$data.'<br />'.$type.'----------<br
/><br />';
}
?>
Expected result:
----------------
open_basedir:D:\Web\test.com\public\
system----------
system----------
passthru----------
Pinging qq.com [119.147.15.13] with 32 bytes of data: Reply from 119.147.15.13:
bytes=32 time=11ms TTL=56 Reply from 119.147.15.13: bytes=32 time=11ms TTL=56
Reply from 119.147.15.13: bytes=32 time=11ms TTL=56 Reply from 119.147.15.13:
bytes=32 time=11ms TTL=56 Ping statistics for 119.147.15.13: Packets: Sent = 4,
Received = 4, Lost = 0 (0% loss), Approximate round trip times in
milli-seconds: Minimum = 11ms, Maximum = 11ms, Average = 11ms
passthru----------
shell_exec----------
Pinging qq.com [119.147.15.17] with 32 bytes of data: Reply from 119.147.15.17:
bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56
Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17:
bytes=32 time=9ms TTL=56 Ping statistics for 119.147.15.17: Packets: Sent = 4,
Received = 4, Lost = 0 (0% loss), Approximate round trip times in
milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9ms
shell_exec----------
exec----------
Pinging qq.com [119.147.15.17] with 32 bytes of data: Reply from 119.147.15.17:
bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56
Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17:
bytes=32 time=9ms TTL=56 Ping statistics for 119.147.15.17: Packets: Sent = 4,
Received = 4, Lost = 0 (0% loss), Approximate round trip times in
milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9ms
exec----------
popen----------
Pinging qq.com [119.147.15.17] with 32 bytes of data: Reply from 119.147.15.17:
bytes=32 time=9ms TTL=56 Reply from 119.147.15.17: bytes=32 time=9ms TTL=56
Reply from 119.147.15.17: bytes=32 time=9ms TTL=56 Reply from 119.147.15.17:
bytes=32 time=9ms TTL=56 Ping statistics for 119.147.15.17: Packets: Sent = 4,
Received = 4, Lost = 0 (0% loss), Approximate round trip times in
milli-seconds: Minimum = 9ms, Maximum = 9ms, Average = 9ms
popen----------
Actual result:
--------------
open_basedir:D:\Web\test.com\public\
system----------
system----------
passthru----------
passthru----------
shell_exec----------
shell_exec----------
exec----------
exec----------
popen----------
popen----------
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=62457&edit=1
