fix bug #61367 - open_basedir bypass using libxml RSHUTDOWN

smalyshev · smalyshev · commit 167e2fd78224 · 2012-03-25T12:50:25.000-07:00
diff --git a/NEWS b/NEWS
@@ -42,6 +42,10 @@ PHP                                                                        NEWS
 - Firebird Database extension (ibase):
   . Fixed bug #60802 (ibase_trans() gives segfault when passing params).
 
+- Libxml:
+  . Fixed bug #61367 (open_basedir bypass using libxml RSHUTDOWN). 
+    (Tim Starling)
+
 - mysqli
   . Fixed bug #61003 (mysql_stat() require a valid connection). (Johannes).
 
diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
@@ -82,8 +82,8 @@ ZEND_GET_MODULE(libxml)
 static PHP_MINIT_FUNCTION(libxml);
 static PHP_RINIT_FUNCTION(libxml);
 static PHP_MSHUTDOWN_FUNCTION(libxml);
-static PHP_RSHUTDOWN_FUNCTION(libxml);
 static PHP_MINFO_FUNCTION(libxml);
+static int php_libxml_post_deactivate();
 
 /* }}} */
 
@@ -129,13 +129,13 @@ zend_module_entry libxml_module_entry = {
 	PHP_MINIT(libxml),       /* extension-wide startup function */
 	PHP_MSHUTDOWN(libxml),   /* extension-wide shutdown function */
 	PHP_RINIT(libxml),       /* per-request startup function */
-	PHP_RSHUTDOWN(libxml),   /* per-request shutdown function */
+	NULL,                    /* per-request shutdown function */
 	PHP_MINFO(libxml),       /* information function */
 	NO_VERSION_YET,
 	PHP_MODULE_GLOBALS(libxml), /* globals descriptor */
 	PHP_GINIT(libxml),          /* globals ctor */
 	NULL,                       /* globals dtor */
-	NULL,                       /* post deactivate */
+	php_libxml_post_deactivate, /* post deactivate */
 	STANDARD_MODULE_PROPERTIES_EX
 };
 
@@ -655,9 +655,9 @@ static PHP_MSHUTDOWN_FUNCTION(libxml)
 	return SUCCESS;
 }
 
-
-static PHP_RSHUTDOWN_FUNCTION(libxml)
+static int php_libxml_post_deactivate()
 {
+	TSRMLS_FETCH();
 	/* reset libxml generic error handling */
 	xmlSetGenericErrorFunc(NULL, NULL);
 	xmlSetStructuredErrorFunc(NULL, NULL);
diff --git a/ext/libxml/tests/bug61367-read.phpt b/ext/libxml/tests/bug61367-read.phpt
@@ -0,0 +1,58 @@
+--TEST--
+Bug #61367: open_basedir bypass in libxml RSHUTDOWN: read test
+--SKIPIF--
+<?php if(!extension_loaded('dom')) echo 'skip'; ?>
+--INI--
+open_basedir=.
+; Suppress spurious "Trying to get property of non-object" notices
+error_reporting=E_ALL & ~E_NOTICE
+--FILE--
+<?php
+
+class StreamExploiter {
+	public function stream_close (  ) {
+		$doc = new DOMDocument;
+		$doc->resolveExternals = true;
+		$doc->substituteEntities = true;
+		$dir = htmlspecialchars(dirname(getcwd()));
+		$doc->loadXML( <<<XML
+<!DOCTYPE doc [
+	<!ENTITY file SYSTEM "file://github.com/$dir/bad">
+]>
+<doc>&file;</doc>
+XML
+		);
+		print $doc->documentElement->firstChild->nodeValue;
+	}
+
+	public function stream_open (  $path ,  $mode ,  $options ,  &$opened_path ) {
+		return true;
+	}
+}
+
+var_dump(mkdir('test_bug_61367'));
+var_dump(mkdir('test_bug_61367/base'));
+var_dump(file_put_contents('test_bug_61367/bad', 'blah'));
+var_dump(chdir('test_bug_61367/base'));
+
+stream_wrapper_register( 'exploit', 'StreamExploiter' );
+$s = fopen( 'exploit://', 'r' );
+
+?>
+--CLEAN--
+<?php
+unlink('test_bug_61367/bad');
+rmdir('test_bug_61367/base');
+rmdir('test_bug_61367');
+?>
+--EXPECTF--
+bool(true)
+bool(true)
+int(4)
+bool(true)
+
+Warning: DOMDocument::loadXML(): I/O warning : failed to load external entity "file://github.com/%s/test_bug_61367/bad" in %s on line %d
+
+Warning: DOMDocument::loadXML(): Failure to process entity file in Entity, line: 4 in %s on line %d
+
+Warning: DOMDocument::loadXML(): Entity 'file' not defined in Entity, line: 4 in %s on line %d
diff --git a/ext/libxml/tests/bug61367-write.phpt b/ext/libxml/tests/bug61367-write.phpt
@@ -0,0 +1,48 @@
+--TEST--
+Bug #61367: open_basedir bypass in libxml RSHUTDOWN: write test
+--SKIPIF--
+<?php if(!extension_loaded('dom')) echo 'skip'; ?>
+--INI--
+open_basedir=.
+; Suppress spurious "Trying to get property of non-object" notices
+error_reporting=E_ALL & ~E_NOTICE
+--FILE--
+<?php
+
+class StreamExploiter {
+	public function stream_close (  ) {
+		$doc = new DOMDocument;
+		$doc->appendChild($doc->createTextNode('hello')); 
+		var_dump($doc->save(dirname(getcwd()) . '/bad'));
+	}
+
+	public function stream_open (  $path ,  $mode ,  $options ,  &$opened_path ) {
+		return true;
+	}
+}
+
+var_dump(mkdir('test_bug_61367'));
+var_dump(mkdir('test_bug_61367/base'));
+var_dump(file_put_contents('test_bug_61367/bad', 'blah'));
+var_dump(chdir('test_bug_61367/base'));
+
+stream_wrapper_register( 'exploit', 'StreamExploiter' );
+$s = fopen( 'exploit://', 'r' );
+
+?>
+--CLEAN--
+<?php
+@unlink('test_bug_61367/bad');
+rmdir('test_bug_61367/base');
+rmdir('test_bug_61367');
+?>
+--EXPECTF--
+bool(true)
+bool(true)
+int(4)
+bool(true)
+
+Warning: DOMDocument::save(): open_basedir restriction in effect. File(%s) is not within the allowed path(s): (.) in %s on line %d
+
+Warning: DOMDocument::save(%s): failed to open stream: Operation not permitted in %s on line %d
+bool(false)
