View Issue Details

IDProjectCategoryView StatusLast Update
0000450PHP for OS/2, ArcaOS & eComStation (PHP versions v8.x v7.x v5.x)Bugpublic2022-05-14 16:07
ReporterIgor Vaskov Assigned Topsmedley  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionunable to reproduce 
PlatformOS/2OSECSOS Version2.0
Summary0000450: Parameter safe_mode_exec_dir in php.ini do not working correctly
DescriptionPlease check algorithm for comparing path strings in the PHP. Does not work correctly open_basedir and safe_mode_exec_dir. Perhaps the problem with slashes right or left. Or a problem with the presence or absence of a drive letter at the beginning.
Error that
safe_mode = Off
can not perform any function exec() regardless of the path in line safe_mode_exec_dir.
TagsNo tags attached.
Attached Files
tst.zip (79,835 bytes)
root.zip (2,005 bytes)

Activities

psmedley

2010-11-22 19:00

administrator   ~0001767

got a simple example to test with?

It's probably missing some code to handle drive letters somewhere - ie it should be using the win32 code.

Which PHP version is this?

Igor Vaskov

2010-11-23 01:28

reporter   ~0001768

Sample in attache (tst.zip).
open_basedir works correctly if the string begins with a drive letter.
In an example of a true archive format parameter open_basedir.
But safe_mode_exec_dir is not working. In the example, several variants of the parameter and none is working.
If safe_mode is turned off, the example should work.
If safe_mode is turned on, the example should work if the correct value safe_mode_exec_dir, but not working correctly.

psmedley

2010-12-20 15:12

administrator   ~0001778

This should be fixed in 5.3.4

There were some drive letter changes for open_basedir that were present for WIN32 and not OS2

Igor Vaskov

2010-12-21 08:41

reporter   ~0001780

I'm using php 5.3.3. This is the latest version in this site. I'm waiting for version 5.3.4.

psmedley

2010-12-21 09:24

administrator   ~0001781

5.3.4 is uploading now.

http://download.smedley.info/php-5.3.4-os2-20101221.zip

Igor Vaskov

2010-12-21 10:52

reporter   ~0001782

Now does not work anyway. If there is a drive letter at the beginning of the string if it does not much depend on what the slashes are used. In any case, the log file write error - not allowed to file execution.
Tested by modifying the settings in the file php_value open_basedir .htaccess.
Contained in Attachments example does not work.
Please check on the performance of an example from the tst.zip

Igor Vaskov

2011-07-22 19:57

reporter   ~0001937

I use latest http://download.smedley.info/php-5.3.6-os2-20110412.zip .
Please check again realization comparing strings in open_basedir and safe_mode_exec_dir! Security features PHP do not work. This is really problem in my hosting.

psmedley

2011-07-22 20:14

administrator   ~0001939

will try look at this over the weekend

psmedley

2011-07-23 14:19

administrator   ~0001943

checking whether to enable safe mode by default... no
checking for safe mode exec dir... /usr/local/php/bin

This probably explains why safe_mode doesn't work...

Note that safe_mode will not be present in PHP 5.4.0 - see:
http://php.net/manual/en/ini.sect.safe-mode.php

psmedley

2011-07-23 15:13

administrator   ~0001944

Actually I think the problem is that exec doesn't work under any circumstances more so than a problem with safe_mode...

psmedley

2011-07-23 16:19

administrator   ~0001945

with safe_mode = off the following works:
<?php
echo exec('ls.exe');
?>

With safe_mode = On and safe_mode_exec_dir set, it fails

working on it now

psmedley

2011-07-23 16:29

administrator   ~0001946

Note with safe_mode_exec_dir set using forward slash it seems to work here, but your testcase doesn't///

Igor Vaskov

2011-07-23 21:51

reporter   ~0001947

Last edited: 2011-07-23 22:13

I have read this note. If this functionality removed from version 5.4.0 then do not need this repair.
But there is a problem. How to ensure the restriction of the PHP scripts to access the data? Or now it is in principle not possible under OS/2?
It turns out that the script will have access to data on the entire system and not to limit it?

But no message about the open_basedir that is deprecated.
Please repair open_basedir.

In PHP.INI open_basedir = "F:\apache2\root\"
Error log:
[23-Jul-2011 16:36:42] PHP Warning: Unknown: open_basedir restriction in effect. File(F:\apache2\root\t.php) is not within the allowed path(s): (F:\apache2\root\) in Unknown on line 0
[23-Jul-2011 16:36:42] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[23-Jul-2011 16:36:42] PHP Fatal error: Unknown: Failed opening required 'F:/apache2/root/t.php' (include_path='.;\php\includes') in Unknown on line 0

In PHP.INI open_basedir = "F:/apache2/root/"
Error log:
[23-Jul-2011 16:38:49] PHP Warning: Unknown: open_basedir restriction in effect. File(F:\apache2\root\t.php) is not within the allowed path(s): (F:/apache2/root/) in Unknown on line 0
[23-Jul-2011 16:38:49] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[23-Jul-2011 16:38:49] PHP Fatal error: Unknown: Failed opening required 'F:/apache2/root/t.php' (include_path='.;\php\includes') in Unknown on line 0

In PHP.INI open_basedir = "/apache2/root/"
Error log:
[[23-Jul-2011 16:42:28] PHP Warning: Unknown: open_basedir restriction in effect. File(F:\apache2\root\t.php) is not within the allowed path(s): (/apache2/root/) in Unknown on line 0
[23-Jul-2011 16:42:28] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[23-Jul-2011 16:42:28] PHP Fatal error: Unknown: Failed opening required 'F:/apache2/root/t.php' (include_path='.;\php\includes') in Unknown on line 0

psmedley

2012-01-07 05:51

administrator   ~0002152

is the issue wth open_basedir still present in 5.3.8?

psmedley

2012-01-07 05:53

administrator   ~0002153

in my latest code there is a specific check for both forms of slash drive separatre enabled for OS/2:
#if defined(PHP_WIN32) || defined(NETWARE) || defined(__OS2__)
        path_file = strrchr(path_tmp, DEFAULT_SLASH);
        if (!path_file) {
            path_file = strrchr(path_tmp, '/');
        }
#else
        path_file = strrchr(path_tmp, DEFAULT_SLASH);
#endif

I'm not sure when I enabled this codepath for OS/2

Igor Vaskov

2012-01-09 04:24

reporter   ~0002154

php 5.8.3
Parameter open_basedir do not works.
After the Apache error became a zombie process. Helped only a reboot.

===errpr_log================
[Sun Jan 08 20:44:32 2012] [error] [client 127.0.0.1] PHP Warning: Unknown: open_basedir restriction in effect. File(F:\\apache2\\root\\tst\\index.php) is not within the allowed path(s): (F:\\apache2\\root\\tst\\) in Unknown on line 0, referer: http://localhost/
[Sun Jan 08 20:44:32 2012] [error] [client 127.0.0.1] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0, referer: http://localhost/
[Sun Jan 08 20:44:32 2012] [error] [client 127.0.0.1] PHP Fatal error: Unknown: Failed opening required 'F:/apache2/root/tst/index.php' (include_path='.;F:\\php5\\includes') in Unknown on line 0, referer: http://localhost/

Ked by SIGSEGV
pid=0x0049 ppid=0x0047 tid=0x0001 slot=0x0082 pri=0x0200 mc=0x0001
F:\APACHE2\BIN\HTTPD.EXE
LIBC064 0:000f0242
cs:eip=005b:1f640242 ss:esp=d7d7:0022fd72 ebp=0022fdc8
 ds=d7d7 es=d7d7 fs=150b gs=150b efl=00210206
eax=0000d7d7 ebx=0022fda0 ecx=00000001 edx=0000150b edi=0022fe48 esi=006dceb8
Process dumping was disabled, use DUMPPROC / PROCDUMP to enable it.
ttp://localhost/
[Sun Jan 08 20:44:34 2012] [error] [client 127.0.0.1] PHP Fatal error: Unknown: Failed opening required 'F:/apache2/root/t.php' (include_path='.;F:\\php5\\includes') in Unknown on line 0, referer: http://localhost/
[Sun Jan 08 20:46:20 2012] [notice] caught SIGTERM, shutting down
==================================================================

Igor Vaskov

2012-01-09 04:27

reporter   ~0002155

In last attache sample for test this bug. Please edit .htaccess for your path.

psmedley

2022-05-14 16:07

administrator   ~0004248

Please test with a supported release and if this is still an issue, open a new ticket.

Issue History

Date Modified Username Field Change
2010-11-22 00:45 Igor Vaskov New Issue
2010-11-22 19:00 psmedley Note Added: 0001767
2010-11-23 01:14 Igor Vaskov File Added: tst.zip
2010-11-23 01:28 Igor Vaskov Note Added: 0001768
2010-12-20 15:12 psmedley Note Added: 0001778
2010-12-20 15:12 psmedley Assigned To => psmedley
2010-12-20 15:12 psmedley Status new => feedback
2010-12-21 08:41 Igor Vaskov Note Added: 0001780
2010-12-21 08:41 Igor Vaskov Status feedback => assigned
2010-12-21 09:24 psmedley Note Added: 0001781
2010-12-21 10:52 Igor Vaskov Note Added: 0001782
2011-07-22 19:57 Igor Vaskov Note Added: 0001937
2011-07-22 20:14 psmedley Note Added: 0001939
2011-07-23 14:19 psmedley Note Added: 0001943
2011-07-23 15:13 psmedley Note Added: 0001944
2011-07-23 16:19 psmedley Note Added: 0001945
2011-07-23 16:29 psmedley Note Added: 0001946
2011-07-23 21:51 Igor Vaskov Note Added: 0001947
2011-07-23 22:00 Igor Vaskov Note Edited: 0001947
2011-07-23 22:11 Igor Vaskov Note Edited: 0001947
2011-07-23 22:13 Igor Vaskov Note Edited: 0001947
2012-01-07 05:51 psmedley Note Added: 0002152
2012-01-07 05:53 psmedley Note Added: 0002153
2012-01-09 04:24 Igor Vaskov Note Added: 0002154
2012-01-09 04:25 Igor Vaskov File Added: root.zip
2012-01-09 04:27 Igor Vaskov Note Added: 0002155
2022-05-14 16:07 psmedley Status assigned => resolved
2022-05-14 16:07 psmedley Resolution open => unable to reproduce
2022-05-14 16:07 psmedley Note Added: 0004248
2022-05-14 16:07 psmedley Status resolved => closed