[PHP-DEV] [PATCH] include file when using open_basedir
Hi !! Including or openeing a file fails when all paths defined in include_path are not also defined in open_basedir, regardless if the file to open/include is in both definitions. Imagine include_path = .:/usr/local/lib/php:/usr/local/http-docs open_basedir = .:/usr/local/http-docs trying to include a file on /usr/local/http-docs will fail when _php_stream_fopen_with_path will try to locate the file at usr/local/lib/php . This could be undestand as a configuration error, but in a virtual server farm enviroment it's easy to have include_path defined globaly in php.ini and open_basedir defined for each virtual server. BTW, it's not too good to fail in this situation as the requested file meets all requirements. Also the given error will report 'unable to open /usr/local/lib/php/filename' due to open_basedir restrictions, where the real requested file is /usr/local/http-docs/filename -- Best regards ... I was arrested for selling illegal sized paper. David Saez Padroshttp://www.ols.es On-Line Services 2000 S.L. e-mail [EMAIL PROTECTED] Pintor Vayreda 1 telf+34 902 50 29 75 08184 Palau-Solita i Plegamans movil +34 670 35 27 53 *** streams.c Sun Feb 23 21:32:40 2003 --- streams.c Sun Feb 23 21:34:40 2003 *** *** 1741,1746 --- 1741,1752 end++; } snprintf(trypath, MAXPATHLEN, %s/%s, ptr, filename); + + /* If file does not exist continue */ + if (VCWD_STAT(trypath, sb) == 0) { + ptr = end; + continue; + } if (php_check_open_basedir(trypath TSRMLS_CC)) { stream = NULL; *** *** 1748,1764 } if (PG(safe_mode)) { ! if (VCWD_STAT(trypath, sb) == 0) { ! /* file exists ... check permission */ ! if ((php_check_safe_mode_include_dir(trypath TSRMLS_CC) == 0) || ! php_checkuid(trypath, mode, CHECKUID_CHECK_MODE_PARAM)) { ! /* UID ok, or trypath is in safe_mode_include_dir */ ! stream = php_stream_fopen_rel(trypath, mode, opened_path, options); ! } else { ! stream = NULL; ! } ! goto stream_done; } } stream = php_stream_fopen_rel(trypath, mode, opened_path, options); if (stream) { --- 1754,1768 } if (PG(safe_mode)) { ! /* file exists ... check permission */ ! if ((php_check_safe_mode_include_dir(trypath TSRMLS_CC) == 0) || ! php_checkuid(trypath, mode, CHECKUID_CHECK_MODE_PARAM)) { ! /* UID ok, or trypath is in safe_mode_include_dir */ ! stream = php_stream_fopen_rel(trypath, mode, opened_path, options); ! } else { ! stream = NULL; } + goto stream_done; } stream = php_stream_fopen_rel(trypath, mode, opened_path, options); if (stream) { -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] [PATCH] warning does not report correct open_basedir
Hi !! open_basedir warning in fopen_wrappers.c does not correctly report the real open_basedir paths, it only reports the path it was actually testing when the test failed. This patch will make it show the correct information. -- Best regards ... I was arrested for selling illegal sized paper. David Saez Padroshttp://www.ols.es On-Line Services 2000 S.L. e-mail [EMAIL PROTECTED] Pintor Vayreda 1 telf+34 902 50 29 75 08184 Palau-Solita i Plegamans movil +34 670 35 27 53 *** fopen_wrappers.cSun Feb 23 21:13:08 2003 --- fopen_wrappers.cSun Feb 23 21:13:40 2003 *** *** 192,198 ptr = end; } php_error_docref(NULL TSRMLS_CC, E_WARNING, ! open_basedir restriction in effect. File(%s) is not within the allowed path(s): (%s), path, pathbuf); efree(pathbuf); errno = EPERM; /* we deny permission to open it */ return -1; --- 192,198 ptr = end; } php_error_docref(NULL TSRMLS_CC, E_WARNING, ! open_basedir restriction in effect. File(%s) is not within the allowed path(s): (%s), path, PG(open_basedir)); efree(pathbuf); errno = EPERM; /* we deny permission to open it */ return -1; -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-DEV] [PATCH] include file when using open_basedir
Hi !! Correction to last submited patch !! Including or openeing a file fails when all paths defined in include_path are not also defined in open_basedir, regardless if the file to open/include is in both definitions. Imagine include_path = .:/usr/local/lib/php:/usr/local/http-docs open_basedir = .:/usr/local/http-docs trying to include a file on /usr/local/http-docs will fail when _php_stream_fopen_with_path will try to locate the file at usr/local/lib/php . This could be undestand as a configuration error, but in a virtual server farm enviroment it's easy to have include_path defined globaly in php.ini and open_basedir defined for each virtual server. BTW, it's not too good to fail in this situation as the requested file meets all requirements. Also the given error will report 'unable to open /usr/local/lib/php/filename' due to open_basedir restrictions, where the real requested file is /usr/local/http-docs/filename -- Best regards ... I was arrested for selling illegal sized paper. David Saez Padroshttp://www.ols.es On-Line Services 2000 S.L. e-mail [EMAIL PROTECTED] Pintor Vayreda 1 telf+34 902 50 29 75 08184 Palau-Solita i Plegamans movil +34 670 35 27 53 *** streams.c Sun Feb 23 21:32:40 2003 --- streams.c Sun Feb 23 21:34:40 2003 *** *** 1741,1746 --- 1741,1752 end++; } snprintf(trypath, MAXPATHLEN, %s/%s, ptr, filename); + + /* If file does not exist continue */ + if (VCWD_STAT(trypath, sb) != 0) { + ptr = end; + continue; + } if (php_check_open_basedir(trypath TSRMLS_CC)) { stream = NULL; *** *** 1748,1764 } if (PG(safe_mode)) { ! if (VCWD_STAT(trypath, sb) == 0) { ! /* file exists ... check permission */ ! if ((php_check_safe_mode_include_dir(trypath TSRMLS_CC) == 0) || ! php_checkuid(trypath, mode, CHECKUID_CHECK_MODE_PARAM)) { ! /* UID ok, or trypath is in safe_mode_include_dir */ ! stream = php_stream_fopen_rel(trypath, mode, opened_path, options); ! } else { ! stream = NULL; ! } ! goto stream_done; } } stream = php_stream_fopen_rel(trypath, mode, opened_path, options); if (stream) { --- 1754,1768 } if (PG(safe_mode)) { ! /* file exists ... check permission */ ! if ((php_check_safe_mode_include_dir(trypath TSRMLS_CC) == 0) || ! php_checkuid(trypath, mode, CHECKUID_CHECK_MODE_PARAM)) { ! /* UID ok, or trypath is in safe_mode_include_dir */ ! stream = php_stream_fopen_rel(trypath, mode, opened_path, options); ! } else { ! stream = NULL; } + goto stream_done; } stream = php_stream_fopen_rel(trypath, mode, opened_path, options); if (stream) { -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php