| Project: | Web File Manager |
| Version: | 6.x-2.x-dev |
| Component: | Code |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
| Issue tags: | chdir, open_basedir |
Issue Summary
The chdir function is disabled on my host 'for security issues' - I can not control that.
Webfm uses chdir, so I checked the code and I modified it to no longer use 'chdir' - the changes are very limited:
if (is_dir($dir)) {
//if(chdir($dir)) { // COMMENT THIS LINE AND OF COURSE THE CLOSING BRACE
if($handle = opendir($dir)) { // was "."
while(($readdir = readdir($handle)) !== false) {
if(is_dir($dir."/".$readdir)) // NEED TO RECONSTRUCT "FULL" PATH ($dir."/".)
continue;
if(is_file($dir."/".$readdir) && ($readdir == basename($file->fpath))) { // NEED TO RECONSTRUCT "FULL" PATH ($dir."/".)
Please proceed to similar changes in order to avoid me having to update this in future updates and also for other users of course.
Comments
#1
Can you give some detail on what security issues are encountered (error messages, emails from your host, etc.)? I'm willing to do this, so long as it's not a change that is specific to one host (i.e. does this happen because of safe_mode? does this happen because your host has that particular function disabled?).
Thanks!
#2
#3
le_top once you answer please also provide this information from your phpinfo() (or php.ini):
The values of these settings would be interesting:
#4
Here is the requested info:
open_basedir
Local value: /data/village/mylogin:/tmp
Master value: no value
disable_functions:
Local & master value: exec,system,shell_exec,dl,passthru,popen,proc_open,escapeshellcmd,chgrp,chdir
safe_mode:
Master & local value: off
I've modified webfm locally by using the direct path and it works that way. I had to put $dir."/".$readdir in several places - I forgot the line where the file status is checked in my initial message.
#5
Actually I would suggest you contact your provider to remove this nonsense "chdir" from the list of disabled functions. You cannot break out of the folders specified via the "open_basedir"-restriction with "chdir".
If you were in /data/village/mylogin and tried to chdir to /data/village/ you wouldn't be able to and get a Warning: "open_basedir restriction in effect". As you noted yourself: chdir = is_dir+opendir+readdir, so merely a "convenience".
I would suggest not to "fix"/change this in the code.
#6
Hi Niels
I did request this change from my web hoster, but not much effect since I posted the request here. Their official explication is that this is to avoid that one can change data in another account - but that is no restriction as you see yourself.
Personally, I avoid 'chdir' inside code because one generally ends up at one point forgetting to 'chdir' back again. One could also be in another location than expected in a subroutine call. So I find it best to stay where you were.
Further, other hosters could have the same restriction. Since it isn't a very big change, I'ld think it's a change to make.
#7
Well...I guess for now, you have a working installation. I agree with you on chdir being bad, but for the next week or so, I don't have any time to put towards this. So here's what you can do to make this closer to a fix:
Can you supply a patch that contains all the changes you've made to make webFM work without chdir? If you're on CVS HEAD, just do `cvs diff -up`. If not, redownload and extract the release that you are using and do `diff -up /path/to/d.o/copy/ /path/to/your/copy`
Thanks!
#8
The compressed diff file is attached. I was not working in CVS so I got the current version from the head, changed it, diffed against my working copy (looks ok) and compressed it with gzip.
My host finally did update their rules, but my analysis still stands ;-).
Thanks for your followup.
#9
#10
Thank you for providing this I polished the patch and committed.
#11
#12
Automatically closed -- issue fixed for 2 weeks with no activity.