Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13103
Return-Path: <rasmus@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82090 invoked by uid 1010); 1 Oct 2004 19:02:05 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 78237 invoked from network); 1 Oct 2004 19:01:01 -0000
Received: from unknown (HELO colo.lerdorf.com) (66.198.51.121)
  by pb1.pair.com with SMTP; 1 Oct 2004 19:01:01 -0000
Received: from lerdorf.com (lerdorf.com [66.198.51.121])
	by colo.lerdorf.com (8.13.1/8.13.1/Debian-14) with ESMTP id i91J10pR008341;
	Fri, 1 Oct 2004 12:01:00 -0700
Date: Fri, 1 Oct 2004 12:01:00 -0700 (PDT)
X-X-Sender: rasmus@colo
To: Andi Gutmans <andi@zend.com>
cc: Sara Golemon <pollita@php.net>, internals@lists.php.net
In-Reply-To: <5.1.0.14.2.20041001113226.02efa7e0@localhost>
Message-ID: <Pine.LNX.4.58.0410011155200.8190@colo>
References: <5.1.0.14.2.20040930225715.02f0e4b0@localhost>
 <5.1.0.14.2.20041001113226.02efa7e0@localhost>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] Re: realpath patch
From: rasmus@php.net (Rasmus Lerdorf)

On Fri, 1 Oct 2004, Andi Gutmans wrote:
> At 11:24 AM 10/1/2004 -0700, Sara Golemon wrote:
> > > I'd like to commit the realpath() patch I sent to the list for review a
> > > week or so ago. Unless there are any objections I'll commit it (to HEAD)
> >in
> > > 1-2 days. This will give it some more exposure and will have more people
> > > testing it.
> > >
> >Somehow the patch is no longer in my news spool, so rather then looking at
> >the source I'll just ask:  Are all uses of VCWD_REALPATH() effected by this?
> >If so it could provide a means to bypass basedir checks (and possibly
> >certain parts of safe_mode).  A scripter on a shared host could create a
> >symlink, get the cache to catch it, then change the symlink to point to a
> >different (ordinarily restricted) location, then do normal file ops letting
> >the basedir check believe that the script is accessing a valid location.
> >
> >Can we roll in a VCWD_REALPATH_NO_CACHE() macro to avoid problems like this?
>
> http://snaps.php.net/~andi/realpath_cache2.diff
>
> Hmm, you are quite a hacker :)
> I think you might be on to something. Can you take a look and see what
> changes we'd require?

The only real way around this is to not cache when safemode is on.  The
whole point of the realpath cache is to assume that the directory
structure on a server doesn't change very often, which is normally the
case.  If someone changes it on purpose underneath it, all bets are off.

On the other hand, if someone has access to make directory structure
changes on the server in most cases they have already gotten around
safemode.  With safemode on they can't do this symlink trick directly from
php because PHP's symlink() safemode checks source and target paths.  The
only case that trips us up is the one where a user has direct access to
create whatever symlinks he wants in his own directory and then by hitting
that symlink through the web server he is effectively reading any file the
web server user id has permission to read and thereby bypassing safemode.

But like my syscall patches, realpath caching isn't something all that
many really need.  Turning it off when safemode/open_basedir is on should
be fine.

-Rasmus