ID: 40455
User updated by: richton at nbcs dot rutgers dot edu
Reported By: richton at nbcs dot rutgers dot edu
-Status: Feedback
+Status: Open
Bug Type: Safe Mode/open_basedir
Operating System: Solaris
PHP Version: 5CVS-2007-02-13 (snap)
New Comment:
> To properly diagnose the problem, we
> need a short but complete example script to be able
> to reproduce this bug ourselves.
And the script filed under "Reproduce code" doesn't meet
this description how? I even show command lines with which
to run it. Just in case it's not obvious: What was filed
under "Reproduce code" in the original report is what I
placed in "execdir.php" for the Result sections. Assuming
you're on a system with /bin/bash existing, it's all you
need to go.
Previous Comments:
------------------------------------------------------------------------
[2007-02-13 09:07:20] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.
Please avoid embedding huge scripts into the report.
------------------------------------------------------------------------
[2007-02-13 02:00:04] richton at nbcs dot rutgers dot edu
Description:
------------
In PHP 5.2.1 and in snap 5.2 200702122330 the
safe_mode_exec_dir gets executed. This did not occur in PHP
5.2.0. I am using proc_open() here.
Reproduce code:
---------------
<?php
$descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe",
"w"), 2 => array("pipe", "w"));
$process = proc_open("/bin/bash", $descriptorspec, $pipes);
?>
Expected result:
----------------
With safe mode off, expected result of /bin/bash getting
executed from PHP. (Note truss is like strace if you're used
to Linux.)
$ truss -f ./php -n ./execdir.php 2>&1 | grep execve
17635: execve("php", 0xFFBFFBE4, 0xFFBFFBF4) argc = 3
17636: execve("/bin/sh", 0xFFBFEFB8, 0xFFBFFBF4) argc = 3
17638: execve("/bin/bash", 0x0003A414, 0x0003A41C) argc = 1
Expected: That this result should be possible with an
appropriate safe_mode_exec_dir.
Actual result:
--------------
With safe mode on
$ truss -f ./php -n -d safe_mode=On -d safe_mode_exec_dir=/
bin ./execdir.php 2>&1 | grep execve
17642: execve("php", 0xFFBFFBAC, 0xFFBFFBCC) argc = 7
17643: execve("/bin/sh", 0xFFBFEF80, 0xFFBFFBCC) argc = 3
17645: execve("/bin/", 0x0003A408, 0x0003A410)
Err#13 EACCES
safe_mode_exec_dir "/bin" gets executed, despite code for "/
bin/bash." Note that this is not related to the incoming PHP
code at all:
$ truss -f ./php -n -d safe_mode=On -d
safe_mode_exec_dir=FOOBAR ./execdir.php 2>&1 | grep execve
17649: execve("php", 0xFFBFFBAC, 0xFFBFFBCC) argc = 7
17650: execve("/bin/sh", 0xFFBFEF80, 0xFFBFFBCC) argc = 3
17652: execve("FOOBAR/", 0x0003A408, 0x0003A410)
Err#2 ENOENT
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=40455&edit=1
