1 /*
2 +----------------------------------------------------------------------+
3 | PHP Version 5 |
4 +----------------------------------------------------------------------+
5 | Copyright (c) 1997-2015 The PHP Group |
6 +----------------------------------------------------------------------+
7 | This source file is subject to version 3.01 of the PHP license, |
8 | that is bundled with this package in the file LICENSE, and is |
9 | available through the world-wide-web at the following url: |
10 | http://www.php.net/license/3_01.txt |
11 | If you did not receive a copy of the PHP license and are unable to |
12 | obtain it through the world-wide-web, please send a note to |
13 | license@php.net so we can mail you a copy immediately. |
14 +----------------------------------------------------------------------+
15 | Author: Sascha Schumann <sascha@schumann.cx> |
16 +----------------------------------------------------------------------+
17 */
18
19 /* $Id$ */
20
21 #include "php.h"
22
23 #include <sys/stat.h>
24 #include <sys/types.h>
25
26 #if HAVE_SYS_FILE_H
27 #include <sys/file.h>
28 #endif
29
30 #if HAVE_DIRENT_H
31 #include <dirent.h>
32 #endif
33
34 #ifdef PHP_WIN32
35 #include "win32/readdir.h"
36 #endif
37 #include <time.h>
38
39 #include <fcntl.h>
40 #include <errno.h>
41
42 #if HAVE_UNISTD_H
43 #include <unistd.h>
44 #endif
45
46 #include "php_session.h"
47 #include "mod_files.h"
48 #include "ext/standard/flock_compat.h"
49 #include "php_open_temporary_file.h"
50
51 #define FILE_PREFIX "sess_"
52
53 #ifdef PHP_WIN32
54 # ifndef O_NOFOLLOW
55 # define O_NOFOLLOW 0
56 # endif
57 #endif
58
59 typedef struct {
60 int fd;
61 char *lastkey;
62 char *basedir;
63 size_t basedir_len;
64 size_t dirdepth;
65 size_t st_size;
66 int filemode;
67 } ps_files;
68
69 ps_module ps_mod_files = {
70 PS_MOD_SID(files)
71 };
72
73
ps_files_path_create(char * buf,size_t buflen,ps_files * data,const char * key)74 static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, const char *key)
75 {
76 size_t key_len;
77 const char *p;
78 int i;
79 int n;
80
81 key_len = strlen(key);
82 if (key_len <= data->dirdepth ||
83 buflen < (strlen(data->basedir) + 2 * data->dirdepth + key_len + 5 + sizeof(FILE_PREFIX))) {
84 return NULL;
85 }
86
87 p = key;
88 memcpy(buf, data->basedir, data->basedir_len);
89 n = data->basedir_len;
90 buf[n++] = PHP_DIR_SEPARATOR;
91 for (i = 0; i < (int)data->dirdepth; i++) {
92 buf[n++] = *p++;
93 buf[n++] = PHP_DIR_SEPARATOR;
94 }
95 memcpy(buf + n, FILE_PREFIX, sizeof(FILE_PREFIX) - 1);
96 n += sizeof(FILE_PREFIX) - 1;
97 memcpy(buf + n, key, key_len);
98 n += key_len;
99 buf[n] = '\0';
100
101 return buf;
102 }
103
104 #ifndef O_BINARY
105 # define O_BINARY 0
106 #endif
107
ps_files_close(ps_files * data)108 static void ps_files_close(ps_files *data)
109 {
110 if (data->fd != -1) {
111 #ifdef PHP_WIN32
112 /* On Win32 locked files that are closed without being explicitly unlocked
113 will be unlocked only when "system resources become available". */
114 flock(data->fd, LOCK_UN);
115 #endif
116 close(data->fd);
117 data->fd = -1;
118 }
119 }
120
ps_files_open(ps_files * data,const char * key TSRMLS_DC)121 static void ps_files_open(ps_files *data, const char *key TSRMLS_DC)
122 {
123 char buf[MAXPATHLEN];
124 struct stat sbuf;
125 int ret;
126
127 if (data->fd < 0 || !data->lastkey || strcmp(key, data->lastkey)) {
128 if (data->lastkey) {
129 efree(data->lastkey);
130 data->lastkey = NULL;
131 }
132
133 ps_files_close(data);
134
135 if (php_session_valid_key(key) == FAILURE) {
136 php_error_docref(NULL TSRMLS_CC, E_WARNING, "The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'");
137 return;
138 }
139
140 if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
141 return;
142 }
143
144 data->lastkey = estrdup(key);
145
146 /* O_NOFOLLOW to prevent us from following evil symlinks */
147 #ifdef O_NOFOLLOW
148 data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY | O_NOFOLLOW, data->filemode);
149 #else
150 /* Check to make sure that the opened file is not outside of allowable dirs.
151 This is not 100% safe but it's hard to do something better without O_NOFOLLOW */
152 if(PG(open_basedir) && lstat(buf, &sbuf) == 0 && S_ISLNK(sbuf.st_mode) && php_check_open_basedir(buf TSRMLS_CC)) {
153 return;
154 }
155 data->fd = VCWD_OPEN_MODE(buf, O_CREAT | O_RDWR | O_BINARY, data->filemode);
156 #endif
157
158 if (data->fd != -1) {
159 #ifndef PHP_WIN32
160 /* check that this session file was created by us or root – we
161 don't want to end up accepting the sessions of another webapp */
162 if (fstat(data->fd, &sbuf) || (sbuf.st_uid != 0 && sbuf.st_uid != getuid() && sbuf.st_uid != geteuid())) {
163 close(data->fd);
164 data->fd = -1;
165 return;
166 }
167 #endif
168 do {
169 ret = flock(data->fd, LOCK_EX);
170 } while (ret == -1 && errno == EINTR);
171
172 #ifdef F_SETFD
173 # ifndef FD_CLOEXEC
174 # define FD_CLOEXEC 1
175 # endif
176 if (fcntl(data->fd, F_SETFD, FD_CLOEXEC)) {
177 php_error_docref(NULL TSRMLS_CC, E_WARNING, "fcntl(%d, F_SETFD, FD_CLOEXEC) failed: %s (%d)", data->fd, strerror(errno), errno);
178 }
179 #endif
180 } else {
181 php_error_docref(NULL TSRMLS_CC, E_WARNING, "open(%s, O_RDWR) failed: %s (%d)", buf, strerror(errno), errno);
182 }
183 }
184 }
185
ps_files_cleanup_dir(const char * dirname,int maxlifetime TSRMLS_DC)186 static int ps_files_cleanup_dir(const char *dirname, int maxlifetime TSRMLS_DC)
187 {
188 DIR *dir;
189 char dentry[sizeof(struct dirent) + MAXPATHLEN];
190 struct dirent *entry = (struct dirent *) &dentry;
191 struct stat sbuf;
192 char buf[MAXPATHLEN];
193 time_t now;
194 int nrdels = 0;
195 size_t dirname_len;
196
197 dir = opendir(dirname);
198 if (!dir) {
199 php_error_docref(NULL TSRMLS_CC, E_NOTICE, "ps_files_cleanup_dir: opendir(%s) failed: %s (%d)", dirname, strerror(errno), errno);
200 return (0);
201 }
202
203 time(&now);
204
205 dirname_len = strlen(dirname);
206
207 /* Prepare buffer (dirname never changes) */
208 memcpy(buf, dirname, dirname_len);
209 buf[dirname_len] = PHP_DIR_SEPARATOR;
210
211 while (php_readdir_r(dir, (struct dirent *) dentry, &entry) == 0 && entry) {
212 /* does the file start with our prefix? */
213 if (!strncmp(entry->d_name, FILE_PREFIX, sizeof(FILE_PREFIX) - 1)) {
214 size_t entry_len = strlen(entry->d_name);
215
216 /* does it fit into our buffer? */
217 if (entry_len + dirname_len + 2 < MAXPATHLEN) {
218 /* create the full path.. */
219 memcpy(buf + dirname_len + 1, entry->d_name, entry_len);
220
221 /* NUL terminate it and */
222 buf[dirname_len + entry_len + 1] = '\0';
223
224 /* check whether its last access was more than maxlifetime ago */
225 if (VCWD_STAT(buf, &sbuf) == 0 &&
226 (now - sbuf.st_mtime) > maxlifetime) {
227 VCWD_UNLINK(buf);
228 nrdels++;
229 }
230 }
231 }
232 }
233
234 closedir(dir);
235
236 return (nrdels);
237 }
238
ps_files_key_exists(ps_files * data,const char * key TSRMLS_DC)239 static int ps_files_key_exists(ps_files *data, const char *key TSRMLS_DC)
240 {
241 char buf[MAXPATHLEN];
242 struct stat sbuf;
243
244 if (!key || !ps_files_path_create(buf, sizeof(buf), data, key)) {
245 return FAILURE;
246 }
247 if (VCWD_STAT(buf, &sbuf)) {
248 return FAILURE;
249 }
250 return SUCCESS;
251 }
252
253
254 #define PS_FILES_DATA ps_files *data = PS_GET_MOD_DATA()
255
PS_OPEN_FUNC(files)256 PS_OPEN_FUNC(files)
257 {
258 ps_files *data;
259 const char *p, *last;
260 const char *argv[3];
261 int argc = 0;
262 size_t dirdepth = 0;
263 int filemode = 0600;
264
265 if (*save_path == '\0') {
266 /* if save path is an empty string, determine the temporary dir */
267 save_path = php_get_temporary_directory(TSRMLS_C);
268
269 if (php_check_open_basedir(save_path TSRMLS_CC)) {
270 return FAILURE;
271 }
272 }
273
274 /* split up input parameter */
275 last = save_path;
276 p = strchr(save_path, ';');
277 while (p) {
278 argv[argc++] = last;
279 last = ++p;
280 p = strchr(p, ';');
281 if (argc > 1) break;
282 }
283 argv[argc++] = last;
284
285 if (argc > 1) {
286 errno = 0;
287 dirdepth = (size_t) strtol(argv[0], NULL, 10);
288 if (errno == ERANGE) {
289 php_error(E_WARNING, "The first parameter in session.save_path is invalid");
290 return FAILURE;
291 }
292 }
293
294 if (argc > 2) {
295 errno = 0;
296 filemode = strtol(argv[1], NULL, 8);
297 if (errno == ERANGE || filemode < 0 || filemode > 07777) {
298 php_error(E_WARNING, "The second parameter in session.save_path is invalid");
299 return FAILURE;
300 }
301 }
302 save_path = argv[argc - 1];
303
304 data = ecalloc(1, sizeof(*data));
305
306 data->fd = -1;
307 data->dirdepth = dirdepth;
308 data->filemode = filemode;
309 data->basedir_len = strlen(save_path);
310 data->basedir = estrndup(save_path, data->basedir_len);
311
312 if (PS_GET_MOD_DATA()) {
313 ps_close_files(mod_data TSRMLS_CC);
314 }
315 PS_SET_MOD_DATA(data);
316
317 return SUCCESS;
318 }
319
PS_CLOSE_FUNC(files)320 PS_CLOSE_FUNC(files)
321 {
322 PS_FILES_DATA;
323
324 ps_files_close(data);
325
326 if (data->lastkey) {
327 efree(data->lastkey);
328 data->lastkey = NULL;
329 }
330
331 efree(data->basedir);
332 efree(data);
333 *mod_data = NULL;
334
335 return SUCCESS;
336 }
337
PS_READ_FUNC(files)338 PS_READ_FUNC(files)
339 {
340 long n;
341 struct stat sbuf;
342 PS_FILES_DATA;
343
344 /* If strict mode, check session id existence */
345 if (PS(use_strict_mode) &&
346 ps_files_key_exists(data, key TSRMLS_CC) == FAILURE) {
347 /* key points to PS(id), but cannot change here. */
348 if (key) {
349 efree(PS(id));
350 PS(id) = NULL;
351 }
352 PS(id) = PS(mod)->s_create_sid((void **)&data, NULL TSRMLS_CC);
353 if (!PS(id)) {
354 return FAILURE;
355 }
356 if (PS(use_cookies)) {
357 PS(send_cookie) = 1;
358 }
359 php_session_reset_id(TSRMLS_C);
360 PS(session_status) = php_session_active;
361 }
362
363 ps_files_open(data, PS(id) TSRMLS_CC);
364 if (data->fd < 0) {
365 return FAILURE;
366 }
367
368 if (fstat(data->fd, &sbuf)) {
369 return FAILURE;
370 }
371
372 data->st_size = *vallen = sbuf.st_size;
373
374 if (sbuf.st_size == 0) {
375 *val = STR_EMPTY_ALLOC();
376 return SUCCESS;
377 }
378
379 *val = emalloc(sbuf.st_size);
380
381 #if defined(HAVE_PREAD)
382 n = pread(data->fd, *val, sbuf.st_size, 0);
383 #else
384 lseek(data->fd, 0, SEEK_SET);
385 n = read(data->fd, *val, sbuf.st_size);
386 #endif
387
388 if (n != sbuf.st_size) {
389 if (n == -1) {
390 php_error_docref(NULL TSRMLS_CC, E_WARNING, "read failed: %s (%d)", strerror(errno), errno);
391 } else {
392 php_error_docref(NULL TSRMLS_CC, E_WARNING, "read returned less bytes than requested");
393 }
394 efree(*val);
395 return FAILURE;
396 }
397
398 return SUCCESS;
399 }
400
PS_WRITE_FUNC(files)401 PS_WRITE_FUNC(files)
402 {
403 long n;
404 PS_FILES_DATA;
405
406 ps_files_open(data, key TSRMLS_CC);
407 if (data->fd < 0) {
408 return FAILURE;
409 }
410
411 /* Truncate file if the amount of new data is smaller than the existing data set. */
412
413 if (vallen < (int)data->st_size) {
414 php_ignore_value(ftruncate(data->fd, 0));
415 }
416
417 #if defined(HAVE_PWRITE)
418 n = pwrite(data->fd, val, vallen, 0);
419 #else
420 lseek(data->fd, 0, SEEK_SET);
421 n = write(data->fd, val, vallen);
422 #endif
423
424 if (n != vallen) {
425 if (n == -1) {
426 php_error_docref(NULL TSRMLS_CC, E_WARNING, "write failed: %s (%d)", strerror(errno), errno);
427 } else {
428 php_error_docref(NULL TSRMLS_CC, E_WARNING, "write wrote less bytes than requested");
429 }
430 return FAILURE;
431 }
432
433 return SUCCESS;
434 }
435
PS_DESTROY_FUNC(files)436 PS_DESTROY_FUNC(files)
437 {
438 char buf[MAXPATHLEN];
439 PS_FILES_DATA;
440
441 if (!ps_files_path_create(buf, sizeof(buf), data, key)) {
442 return FAILURE;
443 }
444
445 if (data->fd != -1) {
446 ps_files_close(data);
447
448 if (VCWD_UNLINK(buf) == -1) {
449 /* This is a little safety check for instances when we are dealing with a regenerated session
450 * that was not yet written to disk. */
451 if (!VCWD_ACCESS(buf, F_OK)) {
452 return FAILURE;
453 }
454 }
455 }
456
457 return SUCCESS;
458 }
459
PS_GC_FUNC(files)460 PS_GC_FUNC(files)
461 {
462 PS_FILES_DATA;
463
464 /* we don't perform any cleanup, if dirdepth is larger than 0.
465 we return SUCCESS, since all cleanup should be handled by
466 an external entity (i.e. find -ctime x | xargs rm) */
467
468 if (data->dirdepth == 0) {
469 *nrdels = ps_files_cleanup_dir(data->basedir, maxlifetime TSRMLS_CC);
470 }
471
472 return SUCCESS;
473 }
474
PS_CREATE_SID_FUNC(files)475 PS_CREATE_SID_FUNC(files)
476 {
477 char *sid;
478 int maxfail = 3;
479 PS_FILES_DATA;
480
481 do {
482 sid = php_session_create_id((void **)&data, newlen TSRMLS_CC);
483 /* Check collision */
484 if (data && ps_files_key_exists(data, sid TSRMLS_CC) == SUCCESS) {
485 if (sid) {
486 efree(sid);
487 sid = NULL;
488 }
489 if (!(maxfail--)) {
490 return NULL;
491 }
492 }
493 } while(!sid);
494
495 return sid;
496 }
497
498
499 /*
500 * Local variables:
501 * tab-width: 4
502 * c-basic-offset: 4
503 * End:
504 * vim600: sw=4 ts=4 fdm=marker
505 * vim<600: sw=4 ts=4
506 */
507
