hi,
Just wanted to let you guys know that the php opendir() function suffers a tiny
security risk in a multiuser environment. Say you have a server with multiple users
having access to php. Those users Homedirs are stored in the same tree (say
/data/users/).
With the function as it is now, the user chand (/data/users/chand) would be able to
open and watch the contents of Rasmus' Home directory (/data/users/rasmus) because
_php_do_opendir (in ext/standard/dir.c) doesn't implement the safe_mode's php_checkuid
function as I think it should (IMHO). It only checks the open_base_dir variable. But
on a multiuser (multi as in thousands of thousands) environment, you can't honestly go
that way.
Hence the following patch
--- ../php-4.1.0/ext/standard/dir.c Sat Aug 11 19:03:36 2001
+++ ext/standard/dir.c Fri Mar 1 00:46:58 2002
@@ -151,6 +151,13 @@
if (php_check_open_basedir((*arg)->value.str.val TSRMLS_CC)) {
RETURN_FALSE;
}
+
+ /* <CHAND> Added Checkuid so that we check a guy can't go see anything except
+from his directory up... */
+ if (!php_checkuid((*arg)->value.str.val, NULL, 3)) {
+ php_error(E_WARNING, "Permission denied to the directory : %s",
+(*arg)->value.str.val);
+ RETURN_FALSE;
+ }
+ /* </CHAND> */
dirp = emalloc(sizeof(php_dir));
Just tell me if I'm out of the blue here and if what i'm saying is making any sense to
you. Almost every security issue in such an environment i had to patch in earlier
versions of php were patched in 4.1.0 except for this one.
If it could be from now on, it would be pretty cool :)
Thanks for any comments and for taking my information into consideration. Maybe the
patch I submitted is not the best way to do it (I don't master the php/Zend API) but
it works fine with me.
Later
--
Mark Villemade
Hosting Services Technical Manager
MultiMania / Lycos Europe
(int) +33 1 53 27 24 05
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
