Re: PHP3 safe_mode and popen()

Subject: Re: PHP3 safe_mode and popen()
From: Kristian Koehntopp (krisKOEHNTOPP.DE)
Date: Thu Jan 06 2000 - 02:31:44 CST

• Next message: Jay C Austad: "Handspring Visor Network HotSync Security Hole"
• Previous message: Jonathan Poole: "Re: Flaw in 3c59x.c or in Kernel?"
• In reply to: David TILLOY: "Re: PHP3 safe_mode and popen()"
• Reply: Kristian Koehntopp: "Re: PHP3 safe_mode and popen()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In netuse.lists.bugtraq you write:
> Right... Your patch seems to work only with php-3.0.12.
> I attach modified version for php-3.0.13.

Actually, my patch is against the current CVS of PHP and the
diff I posted was being generated directly from the CVS. Get
yourself a copy of current PHP directly from the CVS and all is
well.

> -601,6 +602,11
> snprintf(buf,sizeof(buf),"%s/%s",php3_ini.safe_mode_exec_dir,arg1->value.str.val);
> }
> fp = popen(buf,p);
>+
>+ tmp = _php3_escapeshellcmd(buf);
>+ fp = popen(tmp,p);
>+ efree(tmp); /* temporary copy, no longer necessary */
>+

Your patch does popen twice and the first popen() is unescaped.
This is broken and should not be used. Again, please use the CVS
to get a properly patched version of PHP or wait for the bugfix
release of PHP which will be out RSN.

Kristian

• Next message: Jay C Austad: "Handspring Visor Network HotSync Security Hole"
• Previous message: Jonathan Poole: "Re: Flaw in 3c59x.c or in Kernel?"
• In reply to: David TILLOY: "Re: PHP3 safe_mode and popen()"
• Reply: Kristian Koehntopp: "Re: PHP3 safe_mode and popen()"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Thu Jan 06 2000 - 13:48:44 CST