[13271] in bugtraq
Re: PHP3 safe_mode and popen()
daemon@ATHENA.MIT.EDU (Kristian Koehntopp)
Thu Jan 6 17:00:45 2000
Content-Type: text
Message-Id: <200001060831.JAA09468@valiant.koehntopp.de>
Date: Thu, 6 Jan 2000 09:31:44 +0100
Reply-To: Kristian Koehntopp <kris@KOEHNTOPP.DE>
From: Kristian Koehntopp <kris@KOEHNTOPP.DE>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
In netuse.lists.bugtraq you write:
> Right... Your patch seems to work only with php-3.0.12.
> I attach modified version for php-3.0.13.
Actually, my patch is against the current CVS of PHP and the
diff I posted was being generated directly from the CVS. Get
yourself a copy of current PHP directly from the CVS and all is
well.
>@@ -601,6 +602,11 @@
> snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
> }
> fp = popen(buf,p);
>+
>+ tmp = _php3_escapeshellcmd(buf);
>+ fp = popen(tmp,p);
>+ efree(tmp); /* temporary copy, no longer necessary */
>+
Your patch does popen twice and the first popen() is unescaped.
This is broken and should not be used. Again, please use the CVS
to get a properly patched version of PHP or wait for the bugfix
release of PHP which will be out RSN.
Kristian
