From 40a9316dff6e043b534844b2ab167318250be277 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 13 Apr 2014 20:31:20 -0700 Subject: Fix bug #66171: better handling of symlinks --- NEWS | 2 ++ ext/session/mod_files.c | 37 ++++++++++++++++++++----------------- 2 files changed, 22 insertions(+), 17 deletions(-) diff --git a/NEWS b/NEWS index 1d8fe401b0..66f0d05645 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,8 @@ PHP NEWS UNIX sockets). (Mike) . Fixed bug #64604 (parse_url is inconsistent with specified port). (Ingo Walz) + . Fixed bug #66171 (Symlinks and session handler allow open_basedir bypass). + (Jann Horn, Stas) . Fixed bug #66182 (exit in stream filter produces segfault). (Mike) . Fixed bug #66736 (fpassthru broken). (Mike) . Fixed bug #67024 (getimagesize should recognize BMP files with negative diff --git a/ext/session/mod_files.c b/ext/session/mod_files.c index 86a2235845..8f57ca5af9 100644 --- a/ext/session/mod_files.c +++ b/ext/session/mod_files.c @@ -146,6 +146,7 @@ static void ps_files_close(ps_files *data) static void ps_files_open(ps_files *data, const char *key TSRMLS_DC) { char buf[MAXPATHLEN]; + struct stat sbuf; if (data->fd < 0 || !data->lastkey || strcmp(key, data->lastkey)) { if (data->lastkey) { @@ -165,26 +166,28 @@ static void ps_files_open(ps_files *data, const char *key TSRMLS_DC) } data->lastkey = estrdup(key); - - data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY, data->filemode); + + /* O_NOFOLLOW to prevent us from following evil symlinks */ +#ifdef O_NOFOLLOW + data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY | O_NOFOLLOW, data->filemode); +#else + /* Check to make sure that the opened file is not outside of allowable dirs. + This is not 100% safe but it's hard to do something better without O_NOFOLLOW */ + if(PG(open_basedir) && lstat(buf, &sbuf) == 0 && S_ISLNK(sbuf.st_mode) && php_check_open_basedir(buf TSRMLS_CC)) { + return; + } + data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY, data->filemode); +#endif if (data->fd != -1) { #ifndef PHP_WIN32 - /* check to make sure that the opened file is not a symlink, linking to data outside of allowable dirs */ - if (PG(open_basedir)) { - struct stat sbuf; - - if (fstat(data->fd, &sbuf)) { - close(data->fd); - data->fd = -1; - return; - } - if (S_ISLNK(sbuf.st_mode) && php_check_open_basedir(buf TSRMLS_CC)) { - close(data->fd); - data->fd = -1; - return; - } - } + /* check that this session file was created by us or root – we + don't want to end up accepting the sessions of another webapp */ + if (fstat(data->fd, &sbuf) || (sbuf.st_uid != 0 && sbuf.st_uid != getuid() && sbuf.st_uid != geteuid())) { + close(data->fd); + data->fd = -1; + return; + } #endif flock(data->fd, LOCK_EX); -- cgit v1.2.1 From ad1b9eef98df53adefa0c79c02e5dc1f2b928b8c Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 13 Apr 2014 20:43:46 -0700 Subject: Fix null byte in LDAP bindings --- NEWS | 3 +++ ext/ldap/ldap.c | 10 ++++++++++ 2 files changed, 13 insertions(+) diff --git a/NEWS b/NEWS index 66f0d05645..2d98de7fa0 100644 --- a/NEWS +++ b/NEWS @@ -37,6 +37,9 @@ PHP NEWS . Fixed bug #66021 (Blank line inside empty array/object when JSON_PRETTY_PRINT is set). (Kevin Israel) +- LDAP: + . Fixed issue with null bytes in LDAP bindings. (Matthew Daley) + - SimpleXML: . Fixed bug #66084 (simplexml_load_string() mangles empty node name) (Anatol) diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c index 9d3a710b60..9fe48a03aa 100644 --- a/ext/ldap/ldap.c +++ b/ext/ldap/ldap.c @@ -399,6 +399,16 @@ PHP_FUNCTION(ldap_bind) RETURN_FALSE; } + if (ldap_bind_dn != NULL && memchr(ldap_bind_dn, '\0', ldap_bind_dnlen) != NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "DN contains a null byte"); + RETURN_FALSE; + } + + if (ldap_bind_pw != NULL && memchr(ldap_bind_pw, '\0', ldap_bind_pwlen) != NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Password contains a null byte"); + RETURN_FALSE; + } + ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, &link, -1, "ldap link", le_link); if ((rc = ldap_bind_s(ld->link, ldap_bind_dn, ldap_bind_pw, LDAP_AUTH_SIMPLE)) != LDAP_SUCCESS) { -- cgit v1.2.1