From: Zeev Suraski Date: Sun, 30 Jan 2000 22:10:30 +0000 (+0000) Subject: @- Added the ability to prevent the user from overriding certain environment X-Git-Tag: BEFORE_SAPIFICATION_FEB_10_2000~142 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=55400283405987fa2fe7c4342052a924e8138fd9;p=php @- Added the ability to prevent the user from overriding certain environment @ variables in Safe Mode (Zeev) - Finished work, more or less --- diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index 308022f0e7..8634288932 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -316,8 +316,10 @@ static PHP_INI_MH(OnUpdateSafeModeProtectedEnvVars) protected_vars = estrndup(new_value, new_value_length); zend_hash_clean(&BG(protected_env_vars)); - while (protected_var=strtok(protected_vars, ",")) { + protected_var=strtok(protected_vars, ", "); + while (protected_var) { zend_hash_update(&BG(protected_env_vars), protected_var, strlen(protected_var), &dummy, sizeof(int), NULL); + protected_var=strtok(NULL, ", "); } efree(protected_vars); return SUCCESS; @@ -545,6 +547,14 @@ PHP_FUNCTION(putenv) pe.key_len = strlen(pe.key); pe.key = estrndup(pe.key,pe.key_len); + if (PG(safe_mode) + && zend_hash_exists(&BG(protected_env_vars), pe.key, pe.key_len)) { + php_error(E_WARNING, "Safe Mode: Cannot override protected environment variable '%s'", pe.key); + efree(pe.putenv_string); + efree(pe.key); + RETURN_FALSE; + } + zend_hash_del(&BG(putenv_ht),pe.key,pe.key_len+1); /* find previous value */ diff --git a/ext/standard/basic_functions.h b/ext/standard/basic_functions.h index 202b32ac61..80d7a26f9a 100644 --- a/ext/standard/basic_functions.h +++ b/ext/standard/basic_functions.h @@ -184,6 +184,6 @@ typedef struct { /* Values are coma-delimited */ -#define SAFE_MODE_PROTECTED_ENV_VARS "LD_" +#define SAFE_MODE_PROTECTED_ENV_VARS "LD_LIBRARY_PATH" #endif /* _BASIC_FUNCTIONS_H */ diff --git a/php.ini-dist b/php.ini-dist index 583f5df0bd..844bf100e8 100644 --- a/php.ini-dist +++ b/php.ini-dist @@ -77,6 +77,12 @@ allow_call_time_pass_reference = On ; whether to enable the ability to force arg ; Safe Mode safe_mode = Off safe_mode_exec_dir = +safe_mode_protected_env_vars = LD_LIBRARY_PATH ; In Safe Mode, setting certain environment + ; variables may be a potential security + ; breach. This directive contains + ; a comma delimited list of environment + ; variables, that the end user won't be + ; able to override using putenv() ; Colors for Syntax Highlighting mode. Anything that's acceptable in would work. highlight.string = #DD0000