NYCPHP Meetup

NYPHP.org

[nycphp-talk] apocryphal safe mode bug and SANS' alert CAN-2003-0863

Chris Shiflett shiflett at php.net
Sat Nov 15 16:35:06 EST 2003


--- Tim Gales <tgales at tgaconnect.com> wrote:
> http://marc.theaimsgroup.com/?l=bugtraq&m=105839111204227

OK, I read this email. I think I misunderstood before.

This guy seems to be claiming that having safe_mode enabled but ommitting
safe_mode_include_dir in your configuration basically disables the check
when you go to include something.

He also cites some code in fopen_wrappers.c.

Well, it seems to me that he is just wrong. From the code:

PHPAPI int php_check_safe_mode_include_dir(char *path TSRMLS_DC)
{
     if (PG(safe_mode)) {
          if (PG(safe_mode_include_dir) && *PG(safe_mode_include_dir)) {
               [snip]
          }
          return -1;
     }
     return 0;
}

The part I snipped out is where the checks are made, and that part is
irrelevant for this argument. As you can see, the default return (since
any previous return would end the function) for the case where safe_mode
is enabled is -1. This is a safe approach. Unless safe_mode_include_dir is
specified and the permissions checks succeed, permission is not granted.

The default return for when safe_mode is not enabled is 0, which makes
sense.

This guy's argument is that the code returns 0 when safe_mode_include_dir
is not set, which is untrue. Doing a cvs annotate on this code shows this
for that particular line:

1.141     (jflemer  01-Feb-02):     return -1;

So, that line has not changed since Feb 2002. His email is from Jul 2003.
This leads me to believe that his argument is completely invalid, even at
the time that he wrote that email.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
     Coming mid-2004
HTTP Developer's Handbook
     http://httphandbook.org/
RAMP Training Courses
     http://www.nyphp.org/ramp



More information about the talk mailing list