From: richton at nbcs dot rutgers dot edu
Operating system: Solaris
PHP version: 5CVS-2007-02-13 (snap)
PHP Bug Type: Safe Mode/open_basedir
Bug description: safe_mode_exec_dir gets executed
Description:
------------
In PHP 5.2.1 and in snap 5.2 200702122330 the
safe_mode_exec_dir gets executed. This did not occur in PHP
5.2.0. I am using proc_open() here.
Reproduce code:
---------------
<?php
$descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe", "w"),
2 => array("pipe", "w"));
$process = proc_open("/bin/bash", $descriptorspec, $pipes);
?>
Expected result:
----------------
With safe mode off, expected result of /bin/bash getting
executed from PHP. (Note truss is like strace if you're used
to Linux.)
$ truss -f ./php -n ./execdir.php 2>&1 | grep execve
17635: execve("php", 0xFFBFFBE4, 0xFFBFFBF4) argc = 3
17636: execve("/bin/sh", 0xFFBFEFB8, 0xFFBFFBF4) argc = 3
17638: execve("/bin/bash", 0x0003A414, 0x0003A41C) argc = 1
Expected: That this result should be possible with an
appropriate safe_mode_exec_dir.
Actual result:
--------------
With safe mode on
$ truss -f ./php -n -d safe_mode=On -d safe_mode_exec_dir=/
bin ./execdir.php 2>&1 | grep execve
17642: execve("php", 0xFFBFFBAC, 0xFFBFFBCC) argc = 7
17643: execve("/bin/sh", 0xFFBFEF80, 0xFFBFFBCC) argc = 3
17645: execve("/bin/", 0x0003A408, 0x0003A410)
Err#13 EACCES
safe_mode_exec_dir "/bin" gets executed, despite code for "/
bin/bash." Note that this is not related to the incoming PHP
code at all:
$ truss -f ./php -n -d safe_mode=On -d
safe_mode_exec_dir=FOOBAR ./execdir.php 2>&1 | grep execve
17649: execve("php", 0xFFBFFBAC, 0xFFBFFBCC) argc = 7
17650: execve("/bin/sh", 0xFFBFEF80, 0xFFBFFBCC) argc = 3
17652: execve("FOOBAR/", 0x0003A408, 0x0003A410)
Err#2 ENOENT
--
Edit bug report at http://bugs.php.net/?id=40455&edit=1
--
Try a CVS snapshot (PHP 4.4):
http://bugs.php.net/fix.php?id=40455&r=trysnapshot44
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=40455&r=trysnapshot52
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=40455&r=trysnapshot60
Fixed in CVS: http://bugs.php.net/fix.php?id=40455&r=fixedcvs
Fixed in release:
http://bugs.php.net/fix.php?id=40455&r=alreadyfixed
Need backtrace: http://bugs.php.net/fix.php?id=40455&r=needtrace
Need Reproduce Script: http://bugs.php.net/fix.php?id=40455&r=needscript
Try newer version: http://bugs.php.net/fix.php?id=40455&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=40455&r=support
Expected behavior: http://bugs.php.net/fix.php?id=40455&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=40455&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=40455&r=submittedtwice
register_globals: http://bugs.php.net/fix.php?id=40455&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=40455&r=php3
Daylight Savings: http://bugs.php.net/fix.php?id=40455&r=dst
IIS Stability: http://bugs.php.net/fix.php?id=40455&r=isapi
Install GNU Sed: http://bugs.php.net/fix.php?id=40455&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=40455&r=float
No Zend Extensions: http://bugs.php.net/fix.php?id=40455&r=nozend
MySQL Configuration Error: http://bugs.php.net/fix.php?id=40455&r=mysqlcfg
