Bug 103079

Summary: Included files do not respect safe mode directive
Product: [Retired] Red Hat Linux Reporter: Antonio Galea <ant9000>
Component: phpAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: ant9000
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-08-27 11:04:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Antonio Galea 2003-08-26 14:25:30 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208
Netscape/7.02

Description of problem:
The "include" directive does not respect safe_mode constraints.

Version-Release number of selected component (if applicable):
php-4.1.2-7.2.6

How reproducible:
Always

Steps to Reproduce:
1. activate safe_mode
2. create a user php file with the content
<?php include("/etc/passwd") ?>
3. point your browser at it
   

Actual Results:  You see the content of /etc/passwd

Expected Results:  You should get an error complaining about safe mode being in
effect

Additional info:

It seems that the problem is already known:

http://www.securityfocus.com/archive/1/329395/2003-07-17/2003-07-23/0
Comment 1 Antonio Galea 2003-08-27 09:37:57 UTC 
A further test shows that this bug only applies to absolute path includes.
That is,

<? include "../../../etc/passwd"; ?>

fails as it should, while 

<? include "/etc/passwd"; ?>

includes the file. The problem certainly lies in function "php_fopen_with_path",
inside "main/fopen_wrappers.c"; as soon as I have time, will try and track it
down more closely.
Comment 2 Antonio Galea 2003-08-27 11:04:46 UTC 
Forgive me for the fuss I've made... no bug in PHP, simply my /etc/php.ini which
had the line

safe_mode_include_dir = /usr/share/pear:

with the ending colon... this caused every path to match.