Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:11552
Return-Path: <php@ter.dk>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 4675 invoked by uid 1010); 25 Jul 2004 15:29:28 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 3735 invoked from network); 25 Jul 2004 15:29:24 -0000
Received: from unknown (HELO cancan.ter.dk) (213.237.11.129)
  by pb1.pair.com with SMTP; 25 Jul 2004 15:29:24 -0000
Received: from [192.168.1.32] (workpenguin [192.168.1.32])
	by cancan.ter.dk (Symaskine) with ESMTP id D3A3D8A40DC
	for <internals@lists.php.net>; Sun, 25 Jul 2004 17:29:19 +0200 (CEST)
Date: Sun, 25 Jul 2004 17:29:17 +0200
To: internals@lists.php.net
In-Reply-To: <Pine.LNX.4.58.0407251111010.20094@miranda.org>
References: <20040725155303.2C25.PHP@ter.dk> <Pine.LNX.4.58.0407251111010.20094@miranda.org>
Message-ID: <20040725172908.2C2B.PHP@ter.dk>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Becky! ver. 2.05.10
Subject: Re: [PHP-DEV] Bugreports - is it worth it? (or: glob() disclosing file names with open_basedir and safe_mode-restriction)
From: php@ter.dk (Peter Brodersen)

Hi,

On Sun, 25 Jul 2004 11:12:26 -0400 (EDT)
Adam Maccabee Trachtenberg <adam@trachtenberg.com> wrote:

> > If nobody wants to give an answer to the above, my question would still be:
> > Is there any way restricting people from retrieving file names (where
> > open_basedir and safe_mode obviously won't help), besides adding glob to
> > disable_functions in php.ini?
> Why don't you set display_errors to Off? Or am I missing something?

I'm not that concerned about myself being able to locate files on my own
system :) I'm more concerned about users in a shared environment (as
most webhosting-facilities) would be able to get file names, they
shouldn't have access to.

display_errors is changeable by PHP_INI_ALL, meaning that users would be
able to turn warnings on. Still, I wouldn't like a solution where users
wouldn't have access to warnings, just because of this.

I would hope for a global change (like changing the behaviour of glob() )
making sure that users in a shared environment really are restricted by
safe_mode and open_basedir. I see several behaviours of glob() allowing
users to bypass other security measures.

As mentioned in bug #28932 I would think that glob() should behave the
same way as opendir(). As it is now, errors would regard the files
globbed and not the directory itself. If it behaved like opendir(), we
would get rid of the following issues:

- glob() checks UID of directory *or* first file, instead of just
directory. First file-check makes no sense (1)
- No "file walking" would be possible (as glob() returns false instead
of raising a warning if no file is matched) (2a)
- File names wouldn't be disclosed (2b)

-- 
- Peter Brodersen