Yasuo Ohgaki wrote:
> Yasuo Ohgaki wrote:
>
>> Christian Stocker wrote:
>>
>>> another little thingie: the description to open_basedir in the
>>> distributed
>>> php.ini is between all the safe_mode config, therfore maybe a lot of
>>> people don't know, that one can use this whithout safe_mode enabled.
>>>
>>
>> I agree. The directive name should be "safe_mode_open_dasedir"
>> in first place...
>>
>> I added note to php.ini-*
>>
>>
>
> I didn't realized how open_basedir works and sander
> pointed out. Thanks Sander.
>
> Anyway, php_checkuid() does not check open_basedir and
> I immediately noticed user bypass open_basedir with
> pg_lo_import(). I guess there are many functions like
> pg_lo_import().
>
I've commited fixes to pgsql.c, and also
take a look at file.c and it seems sevral functions
do not check safe_mode and open_basedir yet.
(safe_mode/open_basedir could be faked by db command,
etc anyway, though...)
Is there reason why these functions don't check safe_mode
and open_basedir?
I don't have much time to test, so I didn't committed this
patch...
--
Yasuo Ohgaki
/usr/bin/diff: conflicting specifications of output style
--- file.c.~1.239.~ Sun Jul 14 09:14:16 2002
+++ file.c Wed Jul 17 14:37:02 2002
@@ -261,7 +261,13 @@
&filename, &filename_len,
&use_include_path) == FAILURE) {
return;
}
-
+ if (PG(safe_mode) && (!php_checkuid(filename, NULL,
+CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
+ if (php_check_open_basedir(filename TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
php_stream_open_wrapper(filename, "rb", 0, NULL);
md.stream = php_stream_open_wrapper(filename, "rb",
@@ -411,6 +417,13 @@
return;
}
+ if (PG(safe_mode) && (!php_checkuid(filename, NULL,
+CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
+ if (php_check_open_basedir(filename TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
stream = php_stream_open_wrapper(filename, "rb",
use_include_path | ENFORCE_SAFE_MODE | REPORT_ERRORS,
NULL);
@@ -457,6 +470,13 @@
&filename, &filename_len,
&use_include_path) == FAILURE) {
return;
}
+ if (PG(safe_mode) && (!php_checkuid(filename, NULL,
+CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
+ if (php_check_open_basedir(filename TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
stream = php_stream_open_wrapper(filename, "rb",
use_include_path | ENFORCE_SAFE_MODE | REPORT_ERRORS,
@@ -526,6 +546,9 @@
convert_to_string_ex(arg1);
convert_to_string_ex(arg2);
+ if (PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(arg1), NULL,
+CHECKUID_ONLY_DIR))) {
+ RETURN_FALSE;
+ }
if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
RETURN_FALSE;
}
@@ -806,6 +829,13 @@
&mode, &mode_len, &use_include_path, &zcontext) ==
FAILURE) {
RETURN_FALSE;
}
+ if (PG(safe_mode) && (!php_checkuid(filename, NULL,
+CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
+ if (php_check_open_basedir(filename TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
if (zcontext) {
context = (php_stream_context*)zend_fetch_resource(&zcontext
TSRMLS_CC, -1, "Stream-Context", NULL, 1, le_stream_context);
ZEND_VERIFY_RESOURCE(context);
@@ -1581,6 +1611,14 @@
WRONG_PARAM_COUNT;
}
convert_to_string_ex(arg1);
+
+ if (PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(arg1), NULL,
+CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
+
+ if (php_check_open_basedir(Z_STRVAL_PP(arg1) TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
stream = php_stream_open_wrapper(Z_STRVAL_PP(arg1), "rb",
use_include_path | ENFORCE_SAFE_MODE | REPORT_ERRORS,
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
