Re: [PHP-DEV] Critical Bug #20887
But unfortunately neither of these fix the bug. If there is php.ini in /, it's still used. --Jani On Thu, 12 Dec 2002, Moriyoshi Koizumi wrote: +1 for applying this patch. and attached is yet another fix as my suggestion. (a bit dirty, and not tested enough). Moriyoshi Sara Golemon [EMAIL PROTECTED] wrote: I THINK the patch below will fix critical bug #20887, but it's late and I've had a long day so I havn't begun to make sure it'll work properly in any circumstance, could anyone else have a look and try it out? See my note in Bug #20887 for an explanation of what my theory about the problem is. -Pollita Index: main/php_ini.c === RCS file: /repository/php4/main/php_ini.c,v retrieving revision 1.106 diff -u -r1.106 php_ini.c --- main/php_ini.c 12 Nov 2002 20:56:47 - 1.106 +++ main/php_ini.c 12 Dec 2002 06:49:50 - @@ -298,7 +298,9 @@ char *separator_location = strrchr(binary_location, DEFAULT_SLASH); if (separator_location) { - *(separator_location+1) = 0; + separator_location[0] = '\0'; + } else { + binary_location[0] = '\0'; } if (*php_ini_search_path) { strcat(php_ini_search_path, paths_separator); -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- - For Sale! - -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Critical Bug #20887
Hmm... it's natural that when apache is launched at /, it should read /php.ini because of the current implementation shown below. 274 #ifdef INI_CHECK_CWD 275 if (strcmp(sapi_module.name, cli)!=0) { 276 if (*php_ini_search_path) { 277 strcat(php_ini_search_path, paths_separator); 278 } 279 strcat(php_ini_search_path, .); 280 } 281 #endif Moriyoshi Jani Taskinen [EMAIL PROTECTED] wrote: But unfortunately neither of these fix the bug. If there is php.ini in /, it's still used. --Jani On Thu, 12 Dec 2002, Moriyoshi Koizumi wrote: +1 for applying this patch. and attached is yet another fix as my suggestion. (a bit dirty, and not tested enough). Moriyoshi Sara Golemon [EMAIL PROTECTED] wrote: I THINK the patch below will fix critical bug #20887, but it's late and I've had a long day so I havn't begun to make sure it'll work properly in any circumstance, could anyone else have a look and try it out? See my note in Bug #20887 for an explanation of what my theory about the problem is. -Pollita Index: main/php_ini.c === RCS file: /repository/php4/main/php_ini.c,v retrieving revision 1.106 diff -u -r1.106 php_ini.c --- main/php_ini.c 12 Nov 2002 20:56:47 - 1.106 +++ main/php_ini.c 12 Dec 2002 06:49:50 - @@ -298,7 +298,9 @@ char *separator_location = strrchr(binary_location, DEFAULT_SLASH); if (separator_location) { - *(separator_location+1) = 0; + separator_location[0] = '\0'; + } else { + binary_location[0] = '\0'; } if (*php_ini_search_path) { strcat(php_ini_search_path, paths_separator); -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- - For Sale! - -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Critical Bug #20887
On Thu, 12 Dec 2002, Moriyoshi Koizumi wrote: Hmm... it's natural that when apache is launched at /, it should read /php.ini because of the current implementation shown below. 274 #ifdef INI_CHECK_CWD 275 if (strcmp(sapi_module.name, cli)!=0) { 276if (*php_ini_search_path) { 277strcat(php_ini_search_path, paths_separator); 278} 279strcat(php_ini_search_path, .); 280 } 281 #endif Yeah, but I'm not launching it at /.. --Jani Moriyoshi Jani Taskinen [EMAIL PROTECTED] wrote: But unfortunately neither of these fix the bug. If there is php.ini in /, it's still used. --Jani On Thu, 12 Dec 2002, Moriyoshi Koizumi wrote: +1 for applying this patch. and attached is yet another fix as my suggestion. (a bit dirty, and not tested enough). Moriyoshi Sara Golemon [EMAIL PROTECTED] wrote: I THINK the patch below will fix critical bug #20887, but it's late and I've had a long day so I havn't begun to make sure it'll work properly in any circumstance, could anyone else have a look and try it out? See my note in Bug #20887 for an explanation of what my theory about the problem is. -Pollita Index: main/php_ini.c === RCS file: /repository/php4/main/php_ini.c,v retrieving revision 1.106 diff -u -r1.106 php_ini.c --- main/php_ini.c 12 Nov 2002 20:56:47 - 1.106 +++ main/php_ini.c 12 Dec 2002 06:49:50 - @@ -298,7 +298,9 @@ char *separator_location = strrchr(binary_location, DEFAULT_SLASH); if (separator_location) { - *(separator_location+1) = 0; + separator_location[0] = '\0'; + } else { + binary_location[0] = '\0'; } if (*php_ini_search_path) { strcat(php_ini_search_path, paths_separator); -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- - For Sale! - -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- - For Sale! - -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Critical Bug #20887
On Thu, 12 Dec 2002, Jani Taskinen wrote: On Thu, 12 Dec 2002, Moriyoshi Koizumi wrote: Hmm... it's natural that when apache is launched at /, it should read /php.ini because of the current implementation shown below. 274 #ifdef INI_CHECK_CWD 275 if (strcmp(sapi_module.name, cli)!=0) { 276 if (*php_ini_search_path) { 277 strcat(php_ini_search_path, paths_separator); 278 } 279 strcat(php_ini_search_path, .); 280 } 281 #endif Yeah, but I'm not launching it at /.. AFAIK apache always does a chdir('/') when you start it. Derick -- - Derick Rethans http://derickrethans.nl/ PHP Magazine - PHP Magazine for Professionals http://php-mag.net/ - -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Critical Bug #20887
You are right. I verified Apache changes the cwd to / unless it's been launched in single process mode. And I found results could be different by cases, using DSO or using CGI executable. When you run your script with CGI executable and php.ini is also present in that directory, the PHP binary tries to read that one as mod_cgi tries to chdir to where the script is put. I'm not sure, but this appears to imply some security issues? Moriyoshi Derick Rethans [EMAIL PROTECTED] wrote: On Thu, 12 Dec 2002, Jani Taskinen wrote: On Thu, 12 Dec 2002, Moriyoshi Koizumi wrote: Hmm... it's natural that when apache is launched at /, it should read /php.ini because of the current implementation shown below. 274 #ifdef INI_CHECK_CWD 275 if (strcmp(sapi_module.name, cli)!=0) { 276if (*php_ini_search_path) { 277strcat(php_ini_search_path, paths_separator); 278} 279strcat(php_ini_search_path, .); 280 } 281 #endif Yeah, but I'm not launching it at /.. AFAIK apache always does a chdir('/') when you start it. Derick -- - Derick Rethans http://derickrethans.nl/ PHP Magazine - PHP Magazine for Professionals http://php-mag.net/ - -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Critical Bug #20887
You are right. I verified Apache changes the cwd to / unless it's been launched in single process mode. And I found results could be different by cases, using DSO or using CGI executable. When you run your script with CGI executable and php.ini is also present in that directory, the PHP binary tries to read that one as mod_cgi tries to chdir to where the script is put. I'm not sure, but this appears to imply some security issues? At the time CLI was introduced I argued to remove . from php.ini search path, but that was not accepted because some people apparently use this feature for having different configurations for different virtual hosts. Therefore . was removed only from CLI's php.ini search path. Edin -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Critical Bug #20887
At the time CLI was introduced I argued to remove . from php.ini search path, but that was not accepted because some people apparently use this feature for having different configurations for different virtual hosts. Therefore . was removed only from CLI's php.ini search path. This feature looks somewhat evil since it enables users to bypass the safe mode restrictions enforced by the administrator, or am I missing something? Anyway, the following patch should make sense for #20887? Moriyoshi Index: main/php_ini.c === RCS file: /repository/php4/main/php_ini.c,v retrieving revision 1.106 diff -u -r1.106 php_ini.c --- main/php_ini.c 12 Nov 2002 20:56:47 - 1.106 +++ main/php_ini.c 12 Dec 2002 11:22:17 - @@ -272,7 +272,8 @@ /* Add cwd */ #ifdef INI_CHECK_CWD - if (strcmp(sapi_module.name, cli)!=0) { + if (strcmp(sapi_module.name, cgi)==0 + || strcmp(sapi_module.name, cgi-fcgi)==0) { if (*php_ini_search_path) { strcat(php_ini_search_path, paths_separator); } -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Critical Bug #20887
No because it was preciselly because of cgi that CWD wasn't removed from the php.ini search path. Have a look at the following thread: http://www.zend.com/lists/php-dev/200202/msg01325.html Edin - Original Message - From: Moriyoshi Koizumi [EMAIL PROTECTED] To: Edin Kadribasic [EMAIL PROTECTED] Cc: Derick Rethans [EMAIL PROTECTED]; Jani Taskinen [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 12:44 PM Subject: Re: [PHP-DEV] Critical Bug #20887 At the time CLI was introduced I argued to remove . from php.ini search path, but that was not accepted because some people apparently use this feature for having different configurations for different virtual hosts. Therefore . was removed only from CLI's php.ini search path. This feature looks somewhat evil since it enables users to bypass the safe mode restrictions enforced by the administrator, or am I missing something? Anyway, the following patch should make sense for #20887? Moriyoshi Index: main/php_ini.c === RCS file: /repository/php4/main/php_ini.c,v retrieving revision 1.106 diff -u -r1.106 php_ini.c --- main/php_ini.c 12 Nov 2002 20:56:47 - 1.106 +++ main/php_ini.c 12 Dec 2002 11:22:17 - @@ -272,7 +272,8 @@ /* Add cwd */ #ifdef INI_CHECK_CWD - if (strcmp(sapi_module.name, cli)!=0) { + if (strcmp(sapi_module.name, cgi)==0 + || strcmp(sapi_module.name, cgi-fcgi)==0) { if (*php_ini_search_path) { strcat(php_ini_search_path, paths_separator); } -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Critical Bug #20887
Thanks for the pointer. As far as I looked over the thread, which is not so long as I expected, I don't feel there is that much need for including CWD in php.ini search path. +1 for removing that feature. Moriyoshi Edin Kadribasic [EMAIL PROTECTED] wrote: No because it was preciselly because of cgi that CWD wasn't removed from the php.ini search path. Have a look at the following thread: http://www.zend.com/lists/php-dev/200202/msg01325.html Edin - Original Message - From: Moriyoshi Koizumi [EMAIL PROTECTED] To: Edin Kadribasic [EMAIL PROTECTED] Cc: Derick Rethans [EMAIL PROTECTED]; Jani Taskinen [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, December 12, 2002 12:44 PM Subject: Re: [PHP-DEV] Critical Bug #20887 At the time CLI was introduced I argued to remove . from php.ini search path, but that was not accepted because some people apparently use this feature for having different configurations for different virtual hosts. Therefore . was removed only from CLI's php.ini search path. This feature looks somewhat evil since it enables users to bypass the safe mode restrictions enforced by the administrator, or am I missing something? Anyway, the following patch should make sense for #20887? Moriyoshi Index: main/php_ini.c === RCS file: /repository/php4/main/php_ini.c,v retrieving revision 1.106 diff -u -r1.106 php_ini.c --- main/php_ini.c 12 Nov 2002 20:56:47 - 1.106 +++ main/php_ini.c 12 Dec 2002 11:22:17 - @@ -272,7 +272,8 @@ /* Add cwd */ #ifdef INI_CHECK_CWD - if (strcmp(sapi_module.name, cli)!=0) { + if (strcmp(sapi_module.name, cgi)==0 + || strcmp(sapi_module.name, cgi-fcgi)==0) { if (*php_ini_search_path) { strcat(php_ini_search_path, paths_separator); } -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] Critical Bug #20887
+1 for applying this patch. and attached is yet another fix as my suggestion. (a bit dirty, and not tested enough). Moriyoshi Sara Golemon [EMAIL PROTECTED] wrote: I THINK the patch below will fix critical bug #20887, but it's late and I've had a long day so I havn't begun to make sure it'll work properly in any circumstance, could anyone else have a look and try it out? See my note in Bug #20887 for an explanation of what my theory about the problem is. -Pollita Index: main/php_ini.c === RCS file: /repository/php4/main/php_ini.c,v retrieving revision 1.106 diff -u -r1.106 php_ini.c --- main/php_ini.c 12 Nov 2002 20:56:47 - 1.106 +++ main/php_ini.c 12 Dec 2002 06:49:50 - @@ -298,7 +298,9 @@ char *separator_location = strrchr(binary_location, DEFAULT_SLASH); if (separator_location) { - *(separator_location+1) = 0; + separator_location[0] = '\0'; + } else { + binary_location[0] = '\0'; } if (*php_ini_search_path) { strcat(php_ini_search_path, paths_separator); -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php Index: main/php_ini.c === RCS file: /repository/php4/main/php_ini.c,v retrieving revision 1.106 diff -u -r1.106 php_ini.c --- main/php_ini.c 12 Nov 2002 20:56:47 - 1.106 +++ main/php_ini.c 12 Dec 2002 07:52:04 - @@ -287,11 +287,21 @@ efree(binary_location); binary_location = NULL; } +#elif defined(__linux__) + binary_location = (char *) emalloc(MAXPATHLEN); + binary_location = realpath(/proc/self/exe, binary_location); +#elif defined(__svr4__) + binary_location = (char *) emalloc(MAXPATHLEN); + binary_location = realpath(/proc/self/object/a.out, binary_location); +#elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) + binary_location = (char *) emalloc(MAXPATHLEN); + binary_location = realpath(/proc/curproc/file, binary_location); #else + binary_location = NULL; if (sapi_module.executable_location) { - binary_location = estrdup(sapi_module.executable_location); - } else { - binary_location = NULL; + if (sapi_module.executable_location[0] == DEFAULT_SLASH) { + binary_location = +estrdup(sapi_module.executable_location); + } } #endif if (binary_location) { -- PHP Development Mailing List http://www.php.net/ To unsubscribe, visit: http://www.php.net/unsub.php