I think there is a bug in PHP safe mode handling from version 4.3.0 till now.
Problem description:
There is a function php_check_safe_mode_include_dir() (fopen_wrappers.c) which checks, if file is in safe_mode_include_dir. When no safe_mode_include_dir is specified in the configuration, this function returns 0 which means success. Older versions (4.2.3) returned -1
(failure) in such case.
There is other function in streams.c - _php_stream_fopen_with_path() which makes two tests in some cases (on line 1856 in version 4.3.2): it checks results of functions php_check_safe_mode_include_dir() and php_checkuid().
And there is a problem: there is OR condition between theese two tests. When there is no value in the safe_mode_include_dir directive,
php_check_safe_mode_include_dir() returns always 0 (true) and due to OR condition result of php_checkuid() is irrelevant. This means that
include() and require() functions in PHP scripts always succeed
- regardless of file permissions.
I think, there was made one of the following mistakes:
a) php_check_safe_mode_include_dir() should return -1 (false) when there is no value in the safe_mode_include_dir directive as older versions
or
someone wanted to switch behaviour of theese test to the state where both tests must pass ("file must be in safe_mode_include_dir and must have appropriate owner/group"). In this casephp_check_safe_mode_include_dir() really should return 0 (true) when there is no value in the safe_mode_include_dir directive, but there must be AND condition instead of OR in the _php_stream_fopen_with_path() function.
This behaviour could make older working setups insecure after upgrading to PHP 4.3.x.
I tried to report this bug to PHP developers twice in last weeks, but I didn't receive any answer.
Best regards
Michal Krause
