ID: 15018 Updated by: [EMAIL PROTECTED] -Summary: readdir() not affected by safe_mode Reported By: [EMAIL PROTECTED] Status: Open -Bug Type: Feature/Change Request +Bug Type: Filesystem function related Operating System: Debian Linux -PHP Version: 4.1.0 +PHP Version: 4.3.0-RC2 New Comment:
With: safe_mode = On safe_mode_gid = On The code below can browse any directory/file on the system. This mentions openbase_dir but one (at least I) would think Safe Mode would have more power. Safe mode is strict in some regards but super loose in others it seems. In the very least please explain this a bit so it can be documented. And btw, the following is in the _php_do_opendir code but what does it do? dirp = php_stream_opendir(Z_STRVAL_PP(arg), ENFORCE_SAFE_MODE|REPORT_ERRORS, NULL); Also AFICT this was suppose to be fixed: http://marc.theaimsgroup.com/?l=php-dev&m=101518887024304 Previous Comments: ------------------------------------------------------------------------ [2002-01-14 10:27:42] [EMAIL PROTECTED] Danielsan is right... i have had a short look into the sourcecode (ext/standard/dir.c) and compared chdir-function with opendir-function. In PHP_FUNCTION(chdir) i found this three-liner which seems to be a safe_mode-Check: ------------------------- if (PG(safe_mode) && !php_checkuid((*arg)->value.str.val, NULL, CHECKUI$ RETURN_FALSE; } ------------------------- PHP_FUNCTION(opendir) (or _php_do_opendir() to which this function refers) does not have such a check, just a short open_basedir-Check. Oh, btw, it seems for me that chdir doesn't do a open_basedir-Check but i may be wrong. cu, Roland PS: All what i said is just 'imho' and 'afaik' because i do not have many expiences with C! ------------------------------------------------------------------------ [2002-01-14 08:55:06] [EMAIL PROTECTED] i did not test it, but 'looking at the source code' (TM) seems you need to use open_basedir to limit opendir() directory range. ------------------------------------------------------------------------ [2002-01-14 08:25:55] [EMAIL PROTECTED] On the same system (=same configuration) chdir() IS limited by safe_mode, opendir() are readdir() are NOT. This is either a bug, or if it isn't, I'll make it a feature request. Either way, it should be fixed, I think. Kind Regards, Daniel Lorch ------------------------------------------------------------------------ [2002-01-13 15:31:47] [EMAIL PROTECTED] Sorry for the bogus. Would you care to elaborate? I seem to be misunderstanding something. I just don't understand why - with the same configuration - chdir() cares about the UID, and opendir/readdir don't. chdir raises a "SAFE MODE Restriction in effect" whereas readdir() and opendir() let me browse through all directories where I have apache allowed to. Thanks for your help. Kind Regards, Daniel Lorch ------------------------------------------------------------------------ [2002-01-13 14:50:47] [EMAIL PROTECTED] Like I mentioned on the mailing list, opendir() is the function that would be relevant here. It is analogous to saying that mysql_query() should block you from accessing data in a database as opposed to this access restriction being placed on the mysql_connect() call. If the perms on the dir are such that opendir() can read the directory under safe-mode, then readdir() is going to give you a list of the files in that dir. Whether you can actually open and read those individual files themselves is of course another issue and any such access would be subject to a safe-mode check. But an individual readdir() call does not have any safe-mode implications. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/15018 -- Edit this bug report at http://bugs.php.net/?id=15018&edit=1
