[13246] in bugtraq
Re: PHP3 safe_mode and popen()
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Thomas_K=F6hler?=)
Wed Jan 5 14:52:49 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-Id: <20000105095018.A863@picard.franken.de>
Date: Wed, 5 Jan 2000 09:50:18 +0100
Reply-To: =?iso-8859-1?Q?Thomas_K=F6hler?= <jean-luc@PICARD.FRANKEN.DE>
From: =?iso-8859-1?Q?Thomas_K=F6hler?= <jean-luc@PICARD.FRANKEN.DE>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000104235132.A10294@lab.nnx.fr>; from d.tilloy@NNX.COM on Wed,
Jan 05, 2000 at 04:27:48AM +0100
Content-Transfer-Encoding: 8bit
On Wed, Jan 05, 2000 at 04:27:48AM +0100,
David TILLOY <d.tilloy@NNX.COM> wrote:
>
> Kristian Koehntopp [kris@KOEHNTOPP.DE] a écrit:
> > PHP3 (http://www.php.net) is a scripting language used in many
> > webhosting setups. Often in hosting setups so called "safe_mode"
> > is enabled, which restricts the user in many ways. For example,
> > in safe_mode you are supposed to be able to execute only
> > programs from a safe_mode_exec_dir, if one is defined. Within
> > that directory there should be only a restricted command set
> > that is considered safe.
>
> [.../...]
>
> Right... Your patch seems to work only with php-3.0.12.
> I attach modified version for php-3.0.13.
>
> dav.
> --- /tmp/php-3.0.13/functions/file.c Sat Jan 1 05:31:15 2000
> +++ functions/file.c Tue Jan 4 23:35:16 2000
> @@ -26,7 +26,7 @@
> | Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> |
> +----------------------------------------------------------------------+
> */
> -/* $Id: file.c,v 1.229 2000/01/01 04:31:15 sas Exp $ */
> +/* $Id: file.c,v 1.230 2000/01/03 21:31:31 kk Exp $ */
> #include "php.h"
>
> #include <stdio.h>
> @@ -51,6 +51,7 @@
> #include "safe_mode.h"
> #include "php3_list.h"
> #include "php3_string.h"
> +#include "exec.h"
> #include "file.h"
> #if HAVE_PWD_H
> #if MSVC5
> @@ -575,7 +576,7 @@
> pval *arg1, *arg2;
> FILE *fp;
> int id;
> - char *p;
> + char *p, *tmp=NULL;
> char *b, buf[1024];
> TLS_VARS;
>
> @@ -601,6 +602,11 @@
> snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
> }
> fp = popen(buf,p);
Not removing this line leaves the problem in PHP3. You'd better remove
it :-)
> +
> + tmp = _php3_escapeshellcmd(buf);
> + fp = popen(tmp,p);
> + efree(tmp); /* temporary copy, no longer necessary */
> +
> if (!fp) {
> php3_error(E_WARNING,"popen(\"%s\",\"%s\") - %s",buf,p,strerror(errno));
> RETURN_FALSE;
CU,
Thomas
--
Thomas Köhler Email: jean-luc@picard.franken.de | LCARS - Linux for
<>< WWW: http://home.pages.de/~jeanluc/ | Computers on All
IRC: jeanluc | Real Starships
PGP public key: http://www.mayn.de/users/jean-luc/PGP-Public.asc
