From: daveb at esat dot net
Operating system: Linux
PHP version: 4.3.4
PHP Bug Type: Filesystem function related
Bug description: rename() doesn't check newname permissions in safe_mode
Description:
------------
When running under apache2 with a perchild MPM & safe_mode turned on, it
is possible to rename a file owned by a user into a directory that the
user does not own but has write permissions too. This works, even when
safe_mode is turned on.
A simple example is ...
[EMAIL PROTECTED]:$ touch moo
[EMAIL PROTECTED]:$ ls -la moo
-rw-r--r-- 1 daveb noc 0 Jan 20 11:31 moo
The php script is simply...
rename ("./moo", "/tmp/crap");
Once called, the file moves to /tmp, even though the directory is owned by
root.
[EMAIL PROTECTED]:$ ls -la /tmp/crap
-rw-r--r-- 1 daveb noc 0 Jan 20 11:31 crap
It would appear that in ext/standard/file., in the rename() function, no
checking is done on new_name to see if the user has the correct UID to
write into that destination directory.
Changing line 1890 to the following ...
if (PG(safe_mode) && (!php_checkuid(old_name, NULL,
CHECKUID_CHECK_FILE_AND_DIR) || !php_checkuid(new_name, NULL,
CHECKUID_CHECK_FILE_AND_DIR))) {
adds checking for the destination as well and prevents users writing into
directories, where although they have permission to write into, they do
not own that directory and should not be writing too.
When running with that extra check, php now logs...
[client ::1] PHP Warning: rename(): SAFE MODE Restriction in effect. The
script whose uid is 677 is not allowed to access /tmp owned by uid 0 in
/usr/local/apache/iweb/rename.php on line 3
According to
http://ie2.php.net/manual/en/features.safe-mode.functions.php,
rename() should "...Checks whether the directory in which you are about to
operate has the same UID (owner) as the script that is being
executed."...
Is the documentation out of sync with the code ? Or the other way around
?
--
Edit bug report at http://bugs.php.net/?id=26974&edit=1
--
Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=26974&r=trysnapshot4
Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=26974&r=trysnapshot5
Fixed in CVS: http://bugs.php.net/fix.php?id=26974&r=fixedcvs
Fixed in release: http://bugs.php.net/fix.php?id=26974&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=26974&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=26974&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=26974&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=26974&r=support
Expected behavior: http://bugs.php.net/fix.php?id=26974&r=notwrong
Not enough info: http://bugs.php.net/fix.php?id=26974&r=notenoughinfo
Submitted twice: http://bugs.php.net/fix.php?id=26974&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=26974&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26974&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=26974&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=26974&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=26974&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26974&r=float
