Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:95588 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38551 invoked from network); 2 Sep 2016 19:50:24 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 2 Sep 2016 19:50:24 -0000 Authentication-Results: pb1.pair.com smtp.mail=cmbecker69@gmx.de; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=cmbecker69@gmx.de; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmx.de designates 212.227.15.18 as permitted sender) X-PHP-List-Original-Sender: cmbecker69@gmx.de X-Host-Fingerprint: 212.227.15.18 mout.gmx.net Received: from [212.227.15.18] ([212.227.15.18:60693] helo=mout.gmx.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AE/81-19490-DF7D9C75 for ; Fri, 02 Sep 2016 15:50:23 -0400 Received: from [192.168.2.103] ([79.243.115.246]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0MOfcU-1blw5P0nkk-0069z8; Fri, 02 Sep 2016 21:50:17 +0200 To: Davey Shafik References: <036401d1f30f$afa85a40$0ef90ec0$@belski.net> <3dc2f23a-c4fb-a63d-ab7f-fa841091b313@gmx.de> <53037294-e8ed-31c8-95ef-522e02333e7c@gmx.de> <016101d1fa7a$298a5220$7c9ef660$@belski.net> <1a033870-ea53-a115-a644-3f131ad3d42d@gmx.de> Cc: Anatol Belski , "internals@lists.php.net" Message-ID: <4698e7d4-ffa5-af15-a231-0c2bdeb52605@gmx.de> Date: Fri, 2 Sep 2016 21:50:35 +0200 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Provags-ID: V03:K0:LDvOT/gbdyHpIKkpgv2OgPcYYptFijsJRYMmG4CdV0/9B8vaMuV jh9D7matjwwCOeVA4l4TPzB7EBFuV1uA3fzfsg1z+jpvWQJSHSCpWp/Bl/ozpZ1ivrA9gV3 uwkJuZfSdlwvhdIAA27H1WwKXPzGCM4YWY9KylsbeSqQIAP0oK/kJ05VUSm7PW6v+psTLZy AX+WfP6RPj3aCZlaPOOPg== X-UI-Out-Filterresults: notjunk:1;V01:K0:2u1YW8/4fEQ=:nUdtXxBvTlGBfu6Sqa6G/5 Kl5DEHUkF4schmYjZ6pJlRdk8RDeE2VlB1Dh8wuuP+ADYUl/R2GspFZQmRMp7pUCWQBsLIZuk SKn/T0cv/rMCoBFCX4HjPzT6lCeiWcYu6OZSvSlH8ptqlScpdkAOvehItNCubs6nDu1fJKmli lUxzMm3uKEypYXPyXQCOzHCl3CKtUoa0MRUywWy/Vmb9N/snauJ192r7zAcNsJp3FYFjF3hh8 x9b6vqC1f72a/Jz/kJenBy52BYkEEkrUeKeBlnJwlnmQ5G+XKVRHSiSLCozEUPwIlnrZkkuHi /fG9QSe8mq5zZshKQ6SXhVurWW9u+CHHjs1//xuVRYhRyy6SrIj1POCdvPMWZIj7CvrsOqBXs zHpjSv8AjmukzKALyv03/Vxx8ZGF1BVndnNf10WyuPjnS3SzK78+8NTcVh2y6yVq7LnSxSXge /K6jkIioLa843eMFws/s6i1TDPTXKIsBP4uPgCZdNC8OWeAExSgMWYREdONjaStk+vU9YewfF 8fzO8cUVhILlssS6TxnODYSueqXJYXpRGrNDd7uFNO2mFBK0XLdfeWHVgk8F3ZCL6PhYEoCo2 e8nLTSOzmPb4z/bBnkp5By0+TfurCc1QcHc9c+ZCsIHh2ozJ7547+6N/lptAoCT/d9SMSaQMs k5d9cXeRqD7zZqROai2n4B902SNAPeCF4Z22LeIJHdcUmyGzzqxZ48nE5qmS64XqAZbdCKq7O pjAHHS8MJuW61scF+uReb40QEq2qUl5I6PB8HtVsyquL6Y1av5IBtM4aaHXX2CuZwdzTJeOJO xmflFtL Subject: Re: [PHP-DEV] SQLite 3.14 From: cmbecker69@gmx.de ("Christoph M. Becker") On 02.09.2016 at 21:21, Davey Shafik wrote: > Good find with that other test! > > I don't see any reason not to fix it for 5.6+ Fine, I'll see to it. Cheers! > - Davey > > On Fri, Sep 2, 2016 at 12:08 PM, Christoph M. Becker > wrote: > >> On 31.08.2016 at 05:46, Davey Shafik wrote: >> >>> Sorry, I dropped the ball on this one: >>> >>> ../sapi/cli/php -d "output_handler=" -d "open_basedir=." -d >>> "disable_functions=" -d "output_buffering=Off" -d "error_reporting=32767" >>> -d "display_errors=1" -d "display_startup_errors=1" -d "log_errors=0" -d >>> "html_errors=0" -d "track_errors=1" -d "report_memleaks=1" -d >>> "report_zend_debug=0" -d "docref_root=" -d "docref_ext=.html" -d >>> "error_prepend_string=" -d "error_append_string=" -d "auto_prepend_file=" >>> -d "auto_append_file=" -d "ignore_repeated_errors=0" -d "precision=14" -d >>> "memory_limit=128M" -d "log_errors_max_len=0" -d >> "opcache.fast_shutdown=0" >>> -d "opcache.file_update_protection=0" -f >>> "/php-src/ext/sqlite3/tests/sqlite3_21_security.php" >>> >>> I think the issue is that the test isn't run in ext/sqlite3/tests, but >> from >>> the root of the checkout, which means that open_basedir=. would include >>> everything in the repo, including the attempt "../bad" directory. >> >> Ah, I have not thought of running in a root directory directly (or would >> have expected that "../bad" would still trigger the open_basedir warning). >> >>> Potential solutions: >>> >>> Change the path to be "../../../../../bad" to ensure it's outside the >>> top-level of the script. >> >> If "../bad" doesn't trigger the open_basedir restriction, "../../bad" >> most likely also wouldn't. Please correct me if I'm wrong. >> >>> Add a: chdir(__DIR__); at the top. >> >> Indeed, using chdir() seems to be the proper way to test for >> open_basedir restrictions, see >> > security/open_basedir.inc#L12-L14>. >> >> Should that be changed for PHP-5.6+? >> >> Cheers! >> >>> Thoughts? >>> >>> On Fri, Aug 19, 2016 at 5:31 PM, Anatol Belski >>> wrote: >>> >>>> Hi Davey, >>>> >>>>> -----Original Message----- >>>>> From: Davey Shafik [mailto:davey@php.net] >>>>> Sent: Friday, August 19, 2016 7:09 PM >>>>> To: Christoph M. Becker >>>>> Cc: Anatol Belski ; internals@lists.php.net >>>>> Subject: Re: [PHP-DEV] SQLite 3.14 >>>>> >>>>> Christophe, >>>>> >>>>> I got the failure multiple times in my Debian Jessie docker container >>>> that I use >>>>> for builds - you can check it out yourself at >>>> https://github.com/dshafik/php-build >>>>> to see the setup. >>>>> >>>>> Thanks for looking into this! >>>>> >>>>> - Davey >>>>> >>>>> On Sat, Aug 20, 2016 at 01:35 Christoph M. Becker >>>> > wrote: >>>>> >>>>> >>>>> Hi Davey! >>>>> >>>>> On 19.08.2016 at 15:32, Davey Shafik wrote: >>>>> >>>>> > I saw this failure while packaging 7.1.0beta3, and assume it >>>> might be >>>>> > related to your update: >>>>> > >>>>> > FAIL SQLite3 open_basedir checks >>>>> > [ext/sqlite3/tests/sqlite3_21_security.phpt] >>>>> > >>>>> > ========DIFF======== >>>>> > 006- >>>>> > 007- Warning: SQLite3::__construct(): open_basedir restriction >> in >>>>> effect. >>>>> > File(%s) is not within the allowed path(s): (.) in >>>>> > %ssqlite3_21_security.php on line %d >>>>> > 008- Exception: open_basedir prohibits opening %s in >>>>> > %ssqlite3_21_security.php:%d >>>>> > 009- Stack trace: >>>>> > 010- #0 %ssqlite3_21_security.php(%d): >> SQLite3->__construct('%s') >>>>> > 011- #1 {main} >>>>> > ========DONE======== >>>>> > >>>>> > Can you please look into this in time for RC1? >>>>> >>>>> I've just checked again with the tagged PHP-7.1.0beta3, but the >>>> test >>>>> succeeds on my machine. Therefore it's hard for me to assess >> what >>>> is >>>>> wrong. According to the diff, it appears that the second DB >> which >>>>> shouldn't be created according to the open_basedir restriction, >> is >>>>> actually successfully created. >>>>> >>>>> Anyway, it's rather unlikely that an open_basedir related failure >>>> is >>>>> caused by updating SQLite, as this check is part of the PHP >>>> binding[1], >>>>> which has not been affected by this commit. The issue might be >>>> caused >>>>> by commit cc125f27[2], but that's also somewhat unlikely, because >>>> the >>>>> Travis checks usually succeed generally. >>>>> >>>>> Can you reproduce the test failure? In which enviroment? >>>>> >>>>> [1] >>> sqlite3 >>>>> /sqlite3.c#L125 >>>> 7.1.0beta3/ext/sqlite3/sqlite3.c#L125> > >>>>> [2] >>>>> >>>> I was checking this and saw no failure as well. From the test diff, it >>>> doesn't look like a crash but something with that try/catch block. Maybe >>>> there'll be more luck with a reproducer, if you could post the exact >>>> command line? You can read it from the corresponding .sh file or just by >>>> appending --verbose. >>>> >>>> Regards >>>> >>>> Anatol >>>> >>> >> >