php-src/main/safe_mode.c

/*
   +----------------------------------------------------------------------+
   | PHP version 4.0                                                      |
   +----------------------------------------------------------------------+
   | Copyright (c) 1997-2001 The PHP Group                                |
   +----------------------------------------------------------------------+
   | This source file is subject to version 2.02 of the PHP license,      |
   | that is bundled with this package in the file LICENSE, and is        |
   | available at through the world-wide-web at                           |
   | http://www.php.net/license/2_02.txt.                                 |
   | If you did not receive a copy of the PHP license and are unable to   |
   | obtain it through the world-wide-web, please send a note to          |
   | license@php.net so we can mail you a copy immediately.               |
   +----------------------------------------------------------------------+
   | Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca>                       |
   +----------------------------------------------------------------------+
 */
/* $Id$ */

#include "php.h"

#include <stdio.h>
#include <stdlib.h>

#if HAVE_UNISTD_H
#include <unistd.h>
#endif
#include <sys/stat.h>
#include "ext/standard/pageinfo.h"
#include "safe_mode.h"
#include "SAPI.h"
#include "php_globals.h"


/*
 * php_checkuid
 *
 * This function has four modes:
 * 
 * 0 - return invalid (0) if file does not exist
 * 1 - return valid (1)  if file does not exist
 * 2 - if file does not exist, check directory
 * 3 - only check directory (needed for mkdir)
 */

PHPAPI int php_checkuid(const char *filename, char *fopen_mode, int mode)
{
	struct stat sb;
	int ret;
	long uid=0L, gid=0L, duid=0L, dgid=0L;
	char *s;
	PLS_FETCH();

	if (!filename) {
		return 0; /* path must be provided */
	}

	if (fopen_mode) {
		if (fopen_mode[0] == 'r') {
			mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS;
		} else {
			mode = CHECKUID_CHECK_FILE_AND_DIR;
		}
	}

	/* 
	 * If given filepath is a URL, allow - safe mode stuff
	 * related to URL's is checked in individual functions
     */	
	if (!strncasecmp(filename,"http://",7) || !strncasecmp(filename,"ftp://",6)) {
		return 1;
	}
		
	if (mode != CHECKUID_ALLOW_ONLY_DIR) {
		ret = VCWD_STAT(filename, &sb);
		if (ret < 0) {
			if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS) {
				php_error(E_WARNING, "Unable to access %s", filename);
				return 0;
			} else if (mode == CHECKUID_ALLOW_FILE_NOT_EXISTS)
				php_error(E_WARNING, "Unable to access %s", filename);{
				return 1;
			}
		} else {
			uid = sb.st_uid;
			if (uid == php_getuid()) {
				return 1;
			}
		}
	}
	s = strrchr(filename,'/');

	/* This loop gets rid of trailing slashes which could otherwise be
	 * used to confuse the function.
	 */
	while(s && *(s+1)=='\0' && s>filename) {
		*s='\0';
		s = strrchr(filename,'/');
	}

	if (s) {
		*s='\0';
		ret = VCWD_STAT(filename, &sb);
		*s='/';
		if (ret < 0) {
			php_error(E_WARNING, "Unable to access %s", filename);
			return 0;
		}
		duid = sb.st_uid;
	} else {
		char cwd[MAXPATHLEN];
		if (!VCWD_GETCWD(cwd, MAXPATHLEN)) {
			php_error(E_WARNING, "Unable to access current working directory");
			return 0;
		}
		ret = VCWD_STAT(cwd, &sb);
		if (ret < 0) {
			php_error(E_WARNING, "Unable to access %s", cwd);
			return 0;
		}
		duid = sb.st_uid;
	}
	if (duid == (uid=php_getuid())) {
		return 1;
 	} else if (PG(safe_mode_gid) && dgid == (gid=php_getgid())) {
 		return 1;
	} else {
		SLS_FETCH();

		if (SG(rfc1867_uploaded_files)) {
			if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, strlen(filename)+1)) {
				return 1;
			}
		}

 		if (PG(safe_mode_gid)) {
 			php_error(E_WARNING, "SAFE MODE Restriction in effect.  The script whose uid/gid is %ld/%ld is not allowed to access %s owned by uid/gid %ld/%ld", uid, gid, filename, duid, dgid);
 		} else {
 			php_error(E_WARNING, "SAFE MODE Restriction in effect.  The script whose uid is %ld is not allowed to access %s owned by uid %ld", uid, filename, duid);
 		}			
		return 0;
	}
}


PHPAPI char *php_get_current_user()
{
	struct passwd *pwd;
	struct stat *pstat;
	SLS_FETCH();

	if (SG(request_info).current_user) {
		return SG(request_info).current_user;
	}

	/* FIXME: I need to have this somehow handled if
	USE_SAPI is defined, because cgi will also be
	interfaced in USE_SAPI */

	pstat = sapi_get_stat();

	if (!pstat) {
		return empty_string;
	}

	if ((pwd=getpwuid(pstat->st_uid))==NULL) {
		return empty_string;
	}
	SG(request_info).current_user_length = strlen(pwd->pw_name);
	SG(request_info).current_user = estrndup(pwd->pw_name, SG(request_info).current_user_length);
	
	return SG(request_info).current_user;		
}	

/*
 * Local variables:
 * tab-width: 4
 * c-basic-offset: 4
 * End:
 * vim600: sw=4 ts=4 tw=78 fdm=marker
 * vim<600: sw=4 ts=4 tw=78
 */
PHP 4.0 1999-04-07 21:05:13 +00:00			`/*`
			`+----------------------------------------------------------------------+`
License update 1999-07-16 13:13:16 +00:00			`\| PHP version 4.0 \|`
PHP 4.0 1999-04-07 21:05:13 +00:00			`+----------------------------------------------------------------------+`
- Fix copyright notices with 2001 2001-02-26 06:11:02 +00:00			`\| Copyright (c) 1997-2001 The PHP Group \|`
PHP 4.0 1999-04-07 21:05:13 +00:00			`+----------------------------------------------------------------------+`
Update the license with the new clause 6 2000-05-18 15:34:45 +00:00			`\| This source file is subject to version 2.02 of the PHP license, \|`
License update 1999-07-16 13:13:16 +00:00			`\| that is bundled with this package in the file LICENSE, and is \|`
			`\| available at through the world-wide-web at \|`
Update the license with the new clause 6 2000-05-18 15:34:45 +00:00			`\| http://www.php.net/license/2_02.txt. \|`
License update 1999-07-16 13:13:16 +00:00			`\| If you did not receive a copy of the PHP license and are unable to \|`
			`\| obtain it through the world-wide-web, please send a note to \|`
			`\| license@php.net so we can mail you a copy immediately. \|`
PHP 4.0 1999-04-07 21:05:13 +00:00			`+----------------------------------------------------------------------+`
			`\| Authors: Rasmus Lerdorf <rasmus@lerdorf.on.ca> \|`
			`+----------------------------------------------------------------------+`
			`*/`
			`/* $Id$ */`
Remove tls.[ch] 1999-04-23 20:06:01 +00:00
PHP 4.0 1999-04-07 21:05:13 +00:00			`#include "php.h"`

			`#include <stdio.h>`
			`#include <stdlib.h>`

			`#if HAVE_UNISTD_H`
			`#include <unistd.h>`
			`#endif`
			`#include <sys/stat.h>`
First commit of re-structuring phase one. We have started using automake in sub-directories and started to move extension code into ext/<name>. For now, I have moved the "standard" extension (which is quite a mix of everything right now) and the GD extension into their own subdirs in ext/. The configure script now also runs configure in the libzend directory automatically and makes sure php4 and libzend use the same config.cache file. To avoid running configure in libzend, use the --no-recursion option. "make" in php4 also builds libzend now. The Apache module doesn't compile right now, but a fix for that is coming up. 1999-04-17 00:37:12 +00:00			`#include "ext/standard/pageinfo.h"`
PHP 4.0 1999-04-07 21:05:13 +00:00			`#include "safe_mode.h"`
* Get the Apache module to compile again * Get rid of php3_rqst, use SG(server_context) instead (there's still Apache-specific code, but it nuked a global) 1999-04-26 17:26:37 +00:00			`#include "SAPI.h"`
Add getmygid() and safe_mode_gid ini directive to allow safe mode to do a gid check instead of a uid check. @ - Add getmygid() and safe_mode_gid ini directive to allow safe mode to do @ a gid check instead of a uid check. (James E. Flemer, Rasmus) 2001-07-09 17:36:04 +00:00			`#include "php_globals.h"`
PHP 4.0 1999-04-07 21:05:13 +00:00
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00
PHP 4.0 1999-04-07 21:05:13 +00:00			`/*`
More php3_ annihilation 1999-12-17 19:16:50 +00:00			`* php_checkuid`
PHP 4.0 1999-04-07 21:05:13 +00:00			`*`
			`* This function has four modes:`
			`*`
			`* 0 - return invalid (0) if file does not exist`
			`* 1 - return valid (1) if file does not exist`
			`* 2 - if file does not exist, check directory`
			`* 3 - only check directory (needed for mkdir)`
			`*/`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00
			`PHPAPI int php_checkuid(const char filename, char fopen_mode, int mode)`
- In function declerations the opening { should be on a new line 2000-11-01 17:31:53 +00:00			`{`
PHP 4.0 1999-04-07 21:05:13 +00:00			`struct stat sb;`
			`int ret;`
Add getmygid() and safe_mode_gid ini directive to allow safe mode to do a gid check instead of a uid check. @ - Add getmygid() and safe_mode_gid ini directive to allow safe mode to do @ a gid check instead of a uid check. (James E. Flemer, Rasmus) 2001-07-09 17:36:04 +00:00			`long uid=0L, gid=0L, duid=0L, dgid=0L;`
PHP 4.0 1999-04-07 21:05:13 +00:00			`char *s;`
Fix Windows build (I think) 2001-07-09 18:57:19 +00:00			`PLS_FETCH();`
PHP 4.0 1999-04-07 21:05:13 +00:00
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`if (!filename) {`
			`return 0; /* path must be provided */`
			`}`
PHP 4.0 1999-04-07 21:05:13 +00:00
- I wrote a long msg but the commit didn't go through. - So here is the short version: - a) Start moving to binary opens in Windows - b) Give checkuid_mode() a small face lift including the fopen-wrappers.c - The mode to this function should at least be a #define but that is for - another day. Anyway this whole stuff should be given more face lifts in - the future. 2000-06-25 17:02:59 +00:00			`if (fopen_mode) {`
			`if (fopen_mode[0] == 'r') {`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS;`
- I wrote a long msg but the commit didn't go through. - So here is the short version: - a) Start moving to binary opens in Windows - b) Give checkuid_mode() a small face lift including the fopen-wrappers.c - The mode to this function should at least be a #define but that is for - another day. Anyway this whole stuff should be given more face lifts in - the future. 2000-06-25 17:02:59 +00:00			`} else {`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`mode = CHECKUID_CHECK_FILE_AND_DIR;`
- I wrote a long msg but the commit didn't go through. - So here is the short version: - a) Start moving to binary opens in Windows - b) Give checkuid_mode() a small face lift including the fopen-wrappers.c - The mode to this function should at least be a #define but that is for - another day. Anyway this whole stuff should be given more face lifts in - the future. 2000-06-25 17:02:59 +00:00			`}`
			`}`

PHP 4.0 1999-04-07 21:05:13 +00:00			`/*`
			`* If given filepath is a URL, allow - safe mode stuff`
			`* related to URL's is checked in individual functions`
			`*/`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`if (!strncasecmp(filename,"http://",7) \|\| !strncasecmp(filename,"ftp://",6)) {`
			`return 1;`
PHP 4.0 1999-04-07 21:05:13 +00:00			`}`

- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`if (mode != CHECKUID_ALLOW_ONLY_DIR) {`
- Change macros from V_ to VCWD_ because of AIX name clash 2001-04-30 12:45:02 +00:00			`ret = VCWD_STAT(filename, &sb);`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`if (ret < 0) {`
			`if (mode == CHECKUID_DISALLOW_FILE_NOT_EXISTS) {`
			`php_error(E_WARNING, "Unable to access %s", filename);`
			`return 0;`
			`} else if (mode == CHECKUID_ALLOW_FILE_NOT_EXISTS)`
			`php_error(E_WARNING, "Unable to access %s", filename);{`
			`return 1;`
			`}`
			`} else {`
			`uid = sb.st_uid;`
			`if (uid == php_getuid()) {`
			`return 1;`
			`}`
PHP 4.0 1999-04-07 21:05:13 +00:00			`}`
			`}`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`s = strrchr(filename,'/');`
PHP 4.0 1999-04-07 21:05:13 +00:00
			`/* This loop gets rid of trailing slashes which could otherwise be`
			`* used to confuse the function.`
			`*/`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`while(s && *(s+1)=='\0' && s>filename) {`
# Fix silly typo 2000-01-08 14:36:12 +00:00			`*s='\0';`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`s = strrchr(filename,'/');`
PHP 4.0 1999-04-07 21:05:13 +00:00			`}`

			`if (s) {`
			`*s='\0';`
- Change macros from V_ to VCWD_ because of AIX name clash 2001-04-30 12:45:02 +00:00			`ret = VCWD_STAT(filename, &sb);`
PHP 4.0 1999-04-07 21:05:13 +00:00			`*s='/';`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`if (ret < 0) {`
			`php_error(E_WARNING, "Unable to access %s", filename);`
			`return 0;`
PHP 4.0 1999-04-07 21:05:13 +00:00			`}`
			`duid = sb.st_uid;`
			`} else {`
- Make all places use MAXPATHLEN in the same way. It includes the terminating NULL. 2000-12-16 20:52:43 +00:00			`char cwd[MAXPATHLEN];`
- Change macros from V_ to VCWD_ because of AIX name clash 2001-04-30 12:45:02 +00:00			`if (!VCWD_GETCWD(cwd, MAXPATHLEN)) {`
Removed '3' from key functions in PHP (maintained compatibility through php3_compat.h) 1999-08-02 19:17:14 +00:00			`php_error(E_WARNING, "Unable to access current working directory");`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`return 0;`
PHP 4.0 1999-04-07 21:05:13 +00:00			`}`
- Change macros from V_ to VCWD_ because of AIX name clash 2001-04-30 12:45:02 +00:00			`ret = VCWD_STAT(cwd, &sb);`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`if (ret < 0) {`
			`php_error(E_WARNING, "Unable to access %s", cwd);`
			`return 0;`
PHP 4.0 1999-04-07 21:05:13 +00:00			`}`
			`duid = sb.st_uid;`
			`}`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`if (duid == (uid=php_getuid())) {`
			`return 1;`
Add getmygid() and safe_mode_gid ini directive to allow safe mode to do a gid check instead of a uid check. @ - Add getmygid() and safe_mode_gid ini directive to allow safe mode to do @ a gid check instead of a uid check. (James E. Flemer, Rasmus) 2001-07-09 17:36:04 +00:00			`} else if (PG(safe_mode_gid) && dgid == (gid=php_getgid())) {`
			`return 1;`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`} else {`
@- Allow access to uploaded files in safe_mode. Beware that you can only @ read the file. If you copy it to new location the copy will not have the @ right UID and you script won't be able to access that copy. (Thies) 2001-01-09 11:58:57 +00:00			`SLS_FETCH();`

			`if (SG(rfc1867_uploaded_files)) {`
- Fix warning PR: Submitted by: Reviewed by: Obtained from: 2001-02-12 15:47:38 +00:00			`if (zend_hash_exists(SG(rfc1867_uploaded_files), (char *) filename, strlen(filename)+1)) {`
@- Allow access to uploaded files in safe_mode. Beware that you can only @ read the file. If you copy it to new location the copy will not have the @ right UID and you script won't be able to access that copy. (Thies) 2001-01-09 11:58:57 +00:00			`return 1;`
			`}`
			`}`

Add getmygid() and safe_mode_gid ini directive to allow safe mode to do a gid check instead of a uid check. @ - Add getmygid() and safe_mode_gid ini directive to allow safe mode to do @ a gid check instead of a uid check. (James E. Flemer, Rasmus) 2001-07-09 17:36:04 +00:00			`if (PG(safe_mode_gid)) {`
			`php_error(E_WARNING, "SAFE MODE Restriction in effect. The script whose uid/gid is %ld/%ld is not allowed to access %s owned by uid/gid %ld/%ld", uid, gid, filename, duid, dgid);`
			`} else {`
			`php_error(E_WARNING, "SAFE MODE Restriction in effect. The script whose uid is %ld is not allowed to access %s owned by uid %ld", uid, filename, duid);`
			`}`
- Define the different possible modes for readibility and use in the rest - of PHP 2000-11-01 18:05:27 +00:00			`return 0;`
PHP 4.0 1999-04-07 21:05:13 +00:00			`}`
			`}`


More php3_ annihilation 1999-12-17 19:16:50 +00:00			`PHPAPI char *php_get_current_user()`
PHP 4.0 1999-04-07 21:05:13 +00:00			`{`
			`struct passwd *pwd;`
More cleanup! 2000-02-10 18:19:04 +00:00			`struct stat *pstat;`
* Get the Apache module to compile again * Get rid of php3_rqst, use SG(server_context) instead (there's still Apache-specific code, but it nuked a global) 1999-04-26 17:26:37 +00:00			`SLS_FETCH();`
PHP 4.0 1999-04-07 21:05:13 +00:00
request_info.c is dead! long live SAPI @- Finished the server abstraction layer; All of the PHP code is now shared @ across different servers (Apache, CGI, IIS, etc.), except for thin @ interface modules (Zeev) 2000-02-10 20:13:08 +00:00			`if (SG(request_info).current_user) {`
			`return SG(request_info).current_user;`
PHP 4.0 1999-04-07 21:05:13 +00:00			`}`

			`/* FIXME: I need to have this somehow handled if`
			`USE_SAPI is defined, because cgi will also be`
			`interfaced in USE_SAPI */`
More cleanup... 2000-02-10 17:26:57 +00:00
More cleanup! 2000-02-10 18:19:04 +00:00			`pstat = sapi_get_stat();`
More cleanup... 2000-02-10 17:26:57 +00:00
More cleanup! 2000-02-10 18:19:04 +00:00			`if (!pstat) {`
PHP 4.0 1999-04-07 21:05:13 +00:00			`return empty_string;`
			`}`

More cleanup! 2000-02-10 18:19:04 +00:00			`if ((pwd=getpwuid(pstat->st_uid))==NULL) {`
PHP 4.0 1999-04-07 21:05:13 +00:00			`return empty_string;`
			`}`
request_info.c is dead! long live SAPI @- Finished the server abstraction layer; All of the PHP code is now shared @ across different servers (Apache, CGI, IIS, etc.), except for thin @ interface modules (Zeev) 2000-02-10 20:13:08 +00:00			`SG(request_info).current_user_length = strlen(pwd->pw_name);`
			`SG(request_info).current_user = estrndup(pwd->pw_name, SG(request_info).current_user_length);`
PHP 4.0 1999-04-07 21:05:13 +00:00
request_info.c is dead! long live SAPI @- Finished the server abstraction layer; All of the PHP code is now shared @ across different servers (Apache, CGI, IIS, etc.), except for thin @ interface modules (Zeev) 2000-02-10 20:13:08 +00:00			`return SG(request_info).current_user;`
PHP 4.0 1999-04-07 21:05:13 +00:00			`}`
vim-6 does folding - clean up a bunch of missing folding tags plus some misguided RINIT and RSHUTDOWN calls in a few fringe extensions 2001-06-05 13:12:10 +00:00
			`/*`
			`* Local variables:`
			`* tab-width: 4`
			`* c-basic-offset: 4`
			`* End:`
Fix folding and clean up some extensions 2001-06-06 13:06:12 +00:00			`* vim600: sw=4 ts=4 tw=78 fdm=marker`
			`* vim<600: sw=4 ts=4 tw=78`
vim-6 does folding - clean up a bunch of missing folding tags plus some misguided RINIT and RSHUTDOWN calls in a few fringe extensions 2001-06-05 13:12:10 +00:00			`*/`