Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:76567 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 87763 invoked from network); 15 Aug 2014 18:59:50 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 15 Aug 2014 18:59:50 -0000 Authentication-Results: pb1.pair.com smtp.mail=smalyshev@sugarcrm.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=smalyshev@sugarcrm.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain sugarcrm.com designates 108.166.43.83 as permitted sender) X-PHP-List-Original-Sender: smalyshev@sugarcrm.com X-Host-Fingerprint: 108.166.43.83 smtp83.ord1c.emailsrvr.com Linux 2.6 Received: from [108.166.43.83] ([108.166.43.83:37304] helo=smtp83.ord1c.emailsrvr.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B6/7B-48767-4A85EE35 for ; Fri, 15 Aug 2014 14:59:48 -0400 Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp19.relay.ord1c.emailsrvr.com (SMTP Server) with ESMTP id 00EFA180183; Fri, 15 Aug 2014 14:59:44 -0400 (EDT) X-Virus-Scanned: OK Received: by smtp19.relay.ord1c.emailsrvr.com (Authenticated sender: smalyshev-AT-sugarcrm.com) with ESMTPSA id 8BD3E18062B; Fri, 15 Aug 2014 14:59:44 -0400 (EDT) X-Sender-Id: smalyshev@sugarcrm.com Received: from Stass-MacBook-Pro.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net [108.66.6.48]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA) by 0.0.0.0:465 (trex/5.2.10); Fri, 15 Aug 2014 18:59:44 GMT Message-ID: <53EE589F.7030109@sugarcrm.com> Date: Fri, 15 Aug 2014 11:59:43 -0700 Organization: SugarCRM User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:31.0) Gecko/20100101 Thunderbird/31.0 MIME-Version: 1.0 To: Jakub Zelenka CC: Pierre Joye , PHP Internals References: <53EA93F0.8090104@sugarcrm.com> <53ED6027.3000704@sugarcrm.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: glob() bug 47358 From: smalyshev@sugarcrm.com (Stas Malyshev) Hi! > The source of the problem is that the open_basedir will always leek > information about dirs that the user is not suppose to see (out of the > open_basedir restriction). The reason is that false value can indicate > that (more info in the PR or https://bugs.php.net/bug.php?id=65489 ). > However not sure if it's so big issue as no one should ever use > open_basedir in security context anyway... :) The biggest problem with glob() was not security but the fact that it returned false on non-existing files when open_basedir is set, even when everything is inside open_basedir context. Ideally, glob() should return the same with and without open_basedir, with added restriction that if open_basedir disallows access to some dir/file, then this dir/file does not exist for the purposes of glob(). I'm not sure though if glob() does that right now completely or how hard it would be to fix it, I didn't look into it deeper. I just noticed that a very old bug was not fixed in 5.4/5.5 by mistake, and this bug makes usage of glob with open_basedir very annoying, as you can not use glob() in foreach() anymore. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/