From a8422d7a82dcf8401cf76626aaf55fed5c407160 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 21 May 2021 12:17:33 +0200 Subject: [PATCH 1/3] Fix #76359: open_basedir bypass through adding ".." We explicitly forbid adding `..` to `open_basedir`at runtime. --- main/fopen_wrappers.c | 5 +++++ tests/security/bug76359.phpt | 19 +++++++++++++++++++ 2 files changed, 24 insertions(+) create mode 100644 tests/security/bug76359.phpt diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c index db4be878d8171..a227721528e8a 100644 --- a/main/fopen_wrappers.c +++ b/main/fopen_wrappers.c @@ -110,6 +110,11 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir) *end = '\0'; end++; } + if (ptr[0] == '.' && ptr[1] == '.' && ptr[2] == '\0') { + /* Don't allow .. to be set at runtime */ + efree(pathbuf); + return FAILURE; + } if (php_check_open_basedir_ex(ptr, 0) != 0) { /* At least one portion of this open_basedir is less restrictive than the prior one, FAIL */ efree(pathbuf); diff --git a/tests/security/bug76359.phpt b/tests/security/bug76359.phpt new file mode 100644 index 0000000000000..df35d67d097da --- /dev/null +++ b/tests/security/bug76359.phpt @@ -0,0 +1,19 @@ +--TEST-- +Bug #76359 (open_basedir bypass through adding "..") +--FILE-- + +--EXPECTF-- +bool(false) + +Warning: chdir(): open_basedir restriction in effect. File(..) is not within the allowed path(s): (%s) in %s on line %d +--CLEAN-- + From 20451f09130ef4b1f6cbb4abbe07ca884bb1dca0 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 21 May 2021 13:12:58 +0200 Subject: [PATCH 2/3] Don't allow paths with a leading .. path component to be set at runtime --- main/fopen_wrappers.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c index a227721528e8a..9d88d93b73ad4 100644 --- a/main/fopen_wrappers.c +++ b/main/fopen_wrappers.c @@ -110,8 +110,12 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir) *end = '\0'; end++; } - if (ptr[0] == '.' && ptr[1] == '.' && ptr[2] == '\0') { - /* Don't allow .. to be set at runtime */ +#ifndef PHP_WIN32 + if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || ptr[2] == DEFAULT_SLASH)) { +#else + if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || ptr[2] == DEFAULT_SLASH || ptr[2] == '/')) { +#endif + /* Don't allow paths with a leading .. path component to be set at runtime */ efree(pathbuf); return FAILURE; } From 56a6bba0d3e3f4d8101e5f80b28685e05c023627 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Fri, 21 May 2021 15:00:41 +0200 Subject: [PATCH 3/3] Don't reinvent the wheel --- main/fopen_wrappers.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c index 9d88d93b73ad4..27135020fa3e3 100644 --- a/main/fopen_wrappers.c +++ b/main/fopen_wrappers.c @@ -110,11 +110,7 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir) *end = '\0'; end++; } -#ifndef PHP_WIN32 - if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || ptr[2] == DEFAULT_SLASH)) { -#else - if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || ptr[2] == DEFAULT_SLASH || ptr[2] == '/')) { -#endif + if (ptr[0] == '.' && ptr[1] == '.' && (ptr[2] == '\0' || IS_SLASH(ptr[2]))) { /* Don't allow paths with a leading .. path component to be set at runtime */ efree(pathbuf); return FAILURE;