ID: 40455
Updated by: [EMAIL PROTECTED]
Reported By: richton at nbcs dot rutgers dot edu
-Status: Open
+Status: Feedback
Bug Type: Safe Mode/open_basedir
Operating System: Solaris
PHP Version: 5CVS-2007-02-13 (snap)
New Comment:
>Assuming you're on a system with /bin/bash existing, it's
>all you need to go.
Sorry, I've failed to guess what should be the expected result of this
code and what is the actual result you get.
(Please no truss output. Thank you.)
Previous Comments:
------------------------------------------------------------------------
[2007-02-13 13:02:20] richton at nbcs dot rutgers dot edu
> To properly diagnose the problem, we
> need a short but complete example script to be able
> to reproduce this bug ourselves.
And the script filed under "Reproduce code" doesn't meet
this description how? I even show command lines with which
to run it. Just in case it's not obvious: What was filed
under "Reproduce code" in the original report is what I
placed in "execdir.php" for the Result sections. Assuming
you're on a system with /bin/bash existing, it's all you
need to go.
------------------------------------------------------------------------
[2007-02-13 09:07:20] [EMAIL PROTECTED]
Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.
A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.
Please avoid embedding huge scripts into the report.
------------------------------------------------------------------------
[2007-02-13 02:00:04] richton at nbcs dot rutgers dot edu
Description:
------------
In PHP 5.2.1 and in snap 5.2 200702122330 the
safe_mode_exec_dir gets executed. This did not occur in PHP
5.2.0. I am using proc_open() here.
Reproduce code:
---------------
<?php
$descriptorspec = array(0 => array("pipe", "r"), 1 => array("pipe",
"w"), 2 => array("pipe", "w"));
$process = proc_open("/bin/bash", $descriptorspec, $pipes);
?>
Expected result:
----------------
With safe mode off, expected result of /bin/bash getting
executed from PHP. (Note truss is like strace if you're used
to Linux.)
$ truss -f ./php -n ./execdir.php 2>&1 | grep execve
17635: execve("php", 0xFFBFFBE4, 0xFFBFFBF4) argc = 3
17636: execve("/bin/sh", 0xFFBFEFB8, 0xFFBFFBF4) argc = 3
17638: execve("/bin/bash", 0x0003A414, 0x0003A41C) argc = 1
Expected: That this result should be possible with an
appropriate safe_mode_exec_dir.
Actual result:
--------------
With safe mode on
$ truss -f ./php -n -d safe_mode=On -d safe_mode_exec_dir=/
bin ./execdir.php 2>&1 | grep execve
17642: execve("php", 0xFFBFFBAC, 0xFFBFFBCC) argc = 7
17643: execve("/bin/sh", 0xFFBFEF80, 0xFFBFFBCC) argc = 3
17645: execve("/bin/", 0x0003A408, 0x0003A410)
Err#13 EACCES
safe_mode_exec_dir "/bin" gets executed, despite code for "/
bin/bash." Note that this is not related to the incoming PHP
code at all:
$ truss -f ./php -n -d safe_mode=On -d
safe_mode_exec_dir=FOOBAR ./execdir.php 2>&1 | grep execve
17649: execve("php", 0xFFBFFBAC, 0xFFBFFBCC) argc = 7
17650: execve("/bin/sh", 0xFFBFEF80, 0xFFBFFBCC) argc = 3
17652: execve("FOOBAR/", 0x0003A408, 0x0003A410)
Err#2 ENOENT
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=40455&edit=1
