1999-04-07 21:05:13 +00:00
|
|
|
/*
|
|
|
|
+----------------------------------------------------------------------+
|
1999-07-16 13:13:16 +00:00
|
|
|
| PHP version 4.0 |
|
1999-04-07 21:05:13 +00:00
|
|
|
+----------------------------------------------------------------------+
|
2001-02-26 06:11:02 +00:00
|
|
|
| Copyright (c) 1997-2001 The PHP Group |
|
1999-04-07 21:05:13 +00:00
|
|
|
+----------------------------------------------------------------------+
|
2000-05-18 15:34:45 +00:00
|
|
|
| This source file is subject to version 2.02 of the PHP license, |
|
1999-07-16 13:13:16 +00:00
|
|
|
| that is bundled with this package in the file LICENSE, and is |
|
|
|
|
| available at through the world-wide-web at |
|
2000-05-18 15:34:45 +00:00
|
|
|
| http://www.php.net/license/2_02.txt. |
|
1999-07-16 13:13:16 +00:00
|
|
|
| If you did not receive a copy of the PHP license and are unable to |
|
|
|
|
| obtain it through the world-wide-web, please send a note to |
|
|
|
|
| license@php.net so we can mail you a copy immediately. |
|
1999-04-07 21:05:13 +00:00
|
|
|
+----------------------------------------------------------------------+
|
|
|
|
| Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> |
|
|
|
|
+----------------------------------------------------------------------+
|
|
|
|
*/
|
|
|
|
/* $Id$ */
|
1999-04-23 20:06:01 +00:00
|
|
|
|
1999-04-07 21:05:13 +00:00
|
|
|
#include "php.h"
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
|
|
|
#if HAVE_UNISTD_H
|
|
|
|
#include <unistd.h>
|
|
|
|
#endif
|
|
|
|
#include <sys/stat.h>
|
1999-04-17 00:37:12 +00:00
|
|
|
#include "ext/standard/pageinfo.h"
|
1999-04-07 21:05:13 +00:00
|
|
|
#include "safe_mode.h"
|
1999-04-26 17:26:37 +00:00
|
|
|
#include "SAPI.h"
|
1999-04-07 21:05:13 +00:00
|
|
|
|
2000-11-01 18:05:27 +00:00
|
|
|
|
1999-04-07 21:05:13 +00:00
|
|
|
/*
|
1999-12-17 19:16:50 +00:00
|
|
|
* php_checkuid
|
1999-04-07 21:05:13 +00:00
|
|
|
*
|
|
|
|
* This function has four modes:
|
|
|
|
*
|
|
|
|
* 0 - return invalid (0) if file does not exist
|
|
|
|
* 1 - return valid (1) if file does not exist
|
|
|
|
* 2 - if file does not exist, check directory
|
|
|
|
* 3 - only check directory (needed for mkdir)
|
|
|
|
*/
|
2000-11-01 18:05:27 +00:00
|
|
|
|
|
|
|
PHPAPI int php_checkuid(const char *filename, char *fopen_mode, int mode)
|
2000-11-01 17:31:53 +00:00
|
|
|
{
|
1999-04-07 21:05:13 +00:00
|
|
|
struct stat sb;
|
|
|
|
int ret;
|
|
|
|
long uid=0L, duid=0L;
|
|
|
|
char *s;
|
|
|
|
|
2000-11-01 18:05:27 +00:00
|
|
|
if (!filename) {
|
|
|
|
return 0; /* path must be provided */
|
|
|
|
}
|
1999-04-07 21:05:13 +00:00
|
|
|
|
2000-06-25 17:02:59 +00:00
|
|
|
if (fopen_mode) {
|
|
|
|
if (fopen_mode[0] == 'r') {
|
2000-11-01 18:05:27 +00:00
|
|
|
mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS;
|
2000-06-25 17:02:59 +00:00
|
|
|
} else {
|
2000-11-01 18:05:27 +00:00
|
|
|
mode = CHECKUID_CHECK_FILE_AND_DIR;
|
2000-06-25 17:02:59 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
1999-04-07 21:05:13 +00:00
|
|
|
/*
|
|
|
|
* If given filepath is a URL, allow - safe mode stuff
|
|
|
|
* related to URL's is checked in individual functions
|
|
|
|
*/
|
2000-11-01 18:05:27 +00:00
|
|
|
if (!strncasecmp(filename,"http://",7) || !strncasecmp(filename,"ftp://",6)) {
|
|
|
|
return 1;
|
1999-04-07 21:05:13 +00:00
|
|
|
}
|
|
|
|
|
2000-11-01 18:05:27 +00:00
|
|
|
if (mode != CHECKUID_ALLOW_ONLY_DIR) {
|
|
|
|
ret = V_STAT(filename, &sb);
|
|
|
|
if (ret < 0) {
|
|
|
|
if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS) {
|
|
|
|
php_error(E_WARNING, "Unable to access %s", filename);
|
|
|
|
return 0;
|
|
|
|
} else if (mode == CHECKUID_ALLOW_FILE_NOT_EXISTS)
|
|
|
|
php_error(E_WARNING, "Unable to access %s", filename);{
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
uid = sb.st_uid;
|
|
|
|
if (uid == php_getuid()) {
|
|
|
|
return 1;
|
|
|
|
}
|
1999-04-07 21:05:13 +00:00
|
|
|
}
|
|
|
|
}
|
2000-11-01 18:05:27 +00:00
|
|
|
s = strrchr(filename,'/');
|
1999-04-07 21:05:13 +00:00
|
|
|
|
|
|
|
/* This loop gets rid of trailing slashes which could otherwise be
|
|
|
|
* used to confuse the function.
|
|
|
|
*/
|
2000-11-01 18:05:27 +00:00
|
|
|
while(s && *(s+1)=='\0' && s>filename) {
|
2000-01-08 14:36:12 +00:00
|
|
|
*s='\0';
|
2000-11-01 18:05:27 +00:00
|
|
|
s = strrchr(filename,'/');
|
1999-04-07 21:05:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (s) {
|
|
|
|
*s='\0';
|
2000-11-01 18:05:27 +00:00
|
|
|
ret = V_STAT(filename, &sb);
|
1999-04-07 21:05:13 +00:00
|
|
|
*s='/';
|
2000-11-01 18:05:27 +00:00
|
|
|
if (ret < 0) {
|
|
|
|
php_error(E_WARNING, "Unable to access %s", filename);
|
|
|
|
return 0;
|
1999-04-07 21:05:13 +00:00
|
|
|
}
|
|
|
|
duid = sb.st_uid;
|
|
|
|
} else {
|
2000-12-16 20:52:43 +00:00
|
|
|
char cwd[MAXPATHLEN];
|
2000-11-01 18:05:27 +00:00
|
|
|
if (!V_GETCWD(cwd, MAXPATHLEN)) {
|
1999-08-02 19:17:14 +00:00
|
|
|
php_error(E_WARNING, "Unable to access current working directory");
|
2000-11-01 18:05:27 +00:00
|
|
|
return 0;
|
1999-04-07 21:05:13 +00:00
|
|
|
}
|
2000-11-01 18:05:27 +00:00
|
|
|
ret = V_STAT(cwd, &sb);
|
|
|
|
if (ret < 0) {
|
|
|
|
php_error(E_WARNING, "Unable to access %s", cwd);
|
|
|
|
return 0;
|
1999-04-07 21:05:13 +00:00
|
|
|
}
|
|
|
|
duid = sb.st_uid;
|
|
|
|
}
|
2000-11-01 18:05:27 +00:00
|
|
|
if (duid == (uid=php_getuid())) {
|
|
|
|
return 1;
|
|
|
|
} else {
|
2001-01-09 11:58:57 +00:00
|
|
|
SLS_FETCH();
|
|
|
|
|
|
|
|
if (SG(rfc1867_uploaded_files)) {
|
2001-02-12 15:47:38 +00:00
|
|
|
if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, strlen(filename)+1)) {
|
2001-01-09 11:58:57 +00:00
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2000-11-01 18:05:27 +00:00
|
|
|
php_error(E_WARNING, "SAFE MODE Restriction in effect. The script whose uid is %ld is not allowed to access %s owned by uid %ld", uid, filename, duid);
|
|
|
|
return 0;
|
1999-04-07 21:05:13 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
1999-12-17 19:16:50 +00:00
|
|
|
PHPAPI char *php_get_current_user()
|
1999-04-07 21:05:13 +00:00
|
|
|
{
|
|
|
|
struct passwd *pwd;
|
2000-02-10 18:19:04 +00:00
|
|
|
struct stat *pstat;
|
1999-04-26 17:26:37 +00:00
|
|
|
SLS_FETCH();
|
1999-04-07 21:05:13 +00:00
|
|
|
|
2000-02-10 20:13:08 +00:00
|
|
|
if (SG(request_info).current_user) {
|
|
|
|
return SG(request_info).current_user;
|
1999-04-07 21:05:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
/* FIXME: I need to have this somehow handled if
|
|
|
|
USE_SAPI is defined, because cgi will also be
|
|
|
|
interfaced in USE_SAPI */
|
2000-02-10 17:26:57 +00:00
|
|
|
|
2000-02-10 18:19:04 +00:00
|
|
|
pstat = sapi_get_stat();
|
2000-02-10 17:26:57 +00:00
|
|
|
|
2000-02-10 18:19:04 +00:00
|
|
|
if (!pstat) {
|
1999-04-07 21:05:13 +00:00
|
|
|
return empty_string;
|
|
|
|
}
|
|
|
|
|
2000-02-10 18:19:04 +00:00
|
|
|
if ((pwd=getpwuid(pstat->st_uid))==NULL) {
|
1999-04-07 21:05:13 +00:00
|
|
|
return empty_string;
|
|
|
|
}
|
2000-02-10 20:13:08 +00:00
|
|
|
SG(request_info).current_user_length = strlen(pwd->pw_name);
|
|
|
|
SG(request_info).current_user = estrndup(pwd->pw_name, SG(request_info).current_user_length);
|
1999-04-07 21:05:13 +00:00
|
|
|
|
2000-02-10 20:13:08 +00:00
|
|
|
return SG(request_info).current_user;
|
1999-04-07 21:05:13 +00:00
|
|
|
}
|