Bug 103079 - Included files do not respect safe mode directive
Included files do not respect safe mode directive
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: php (Show other bugs)
7.2
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-08-26 10:25 EDT by Antonio Galea
Modified: 2007-04-18 12:57 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-08-27 07:04:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Antonio Galea 2003-08-26 10:25:30 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208
Netscape/7.02

Description of problem:
The "include" directive does not respect safe_mode constraints.

Version-Release number of selected component (if applicable):
php-4.1.2-7.2.6

How reproducible:
Always

Steps to Reproduce:
1. activate safe_mode
2. create a user php file with the content
<?php include("/etc/passwd") ?>
3. point your browser at it
   

Actual Results:  You see the content of /etc/passwd

Expected Results:  You should get an error complaining about safe mode being in
effect

Additional info:

It seems that the problem is already known:

http://www.securityfocus.com/archive/1/329395/2003-07-17/2003-07-23/0
Comment 1 Antonio Galea 2003-08-27 05:37:57 EDT
A further test shows that this bug only applies to absolute path includes.
That is,

<? include "../../../etc/passwd"; ?>

fails as it should, while 

<? include "/etc/passwd"; ?>

includes the file. The problem certainly lies in function "php_fopen_with_path",
inside "main/fopen_wrappers.c"; as soon as I have time, will try and track it
down more closely.
Comment 2 Antonio Galea 2003-08-27 07:04:46 EDT
Forgive me for the fuss I've made... no bug in PHP, simply my /etc/php.ini which
had the line

safe_mode_include_dir = /usr/share/pear:

with the ending colon... this caused every path to match.

Note You need to log in before you can comment on or make changes to this bug.