php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #11940 ill side effect of open_basedir
Submitted: 2001-07-06 17:36 UTC Modified: 2003-01-18 14:44 UTC
From: a dot genkin at utoronto dot ca Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4.0.6 OS: Solaris 8/sparc
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2001-07-06 17:36 UTC] a dot genkin at utoronto dot ca 
safe_mode = On
doc_root = /homes/u0/apache
open_basedir = "/var/www/htdocs/workathome:/var/www/secure:/var/www/tmp"
(/var/www is a symlink for /homes/u0/apache)

In such a setting I should be able to execute PHP scripts from any directory under /homes/u0/apache, but not access any files unless they are under one of the directories in open_basedir.  However, I cannot place any scripts in, say, /homes/u0/apache/cdf/deadlines/.  A minimal file foo.php, saved there, containing only:

<?php echo "<html><body>Hello</body></html>"; ?>

Results in the script not executed, with the following error messages:

[Fri Jul  6 17:24:53 2001] [error] PHP Warning:  open_basedir restriction in effect. File is in wrong directory in Unknown on line 0
[Fri Jul  6 17:24:53 2001] [error] PHP Warning:  Failed opening '/homes/u0/apache/htdocs/cdf/deadlines/foo.php' for inclusion (include_path='') in Unknown on line 0

open_basedir's documentation says that it should only restrict directories from where a file can be opened by a PHP script.
http://www.php.net/manual/en/configuration.php

Many thanks,
-- 
Arcady Genkin

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-07-06 17:43 UTC] jason@php.net 
This is not a bug, include calls a file open operation,
and as such must be in the open_basedir path

-Jason
 [2001-07-06 18:25 UTC] a dot genkin at utoronto dot ca 
I may be missing something, but there is no include() or any other file-related operation in the sample script that I posted.  All it has is 'echo "hello"'.
 [2001-07-06 23:26 UTC] jason@php.net 
Sorry, I wrote that in a hurry.

ANY file open operation performed by php has to be in open_basedir. ( Including your main script. ) 
This is actually by design.

-Jason
 [2001-07-07 01:41 UTC] a dot genkin at utoronto dot ca 
Jason, thanks for the clarification.  I apologize for persistence, but I'm re-opening the bug under the different category.  There are two issues here now:

1. The documentation does not describe this configuration
   option clearly.  It only talks about (quote)
   "When a script tries to open a file...".  It should
   mention that the restriction applies to the script
   itself.  The first sentence may imply this, but only
   very vaguely.
   http://www.php.net/manual/en/configuration.php



2. The error message logged by PHP is not helpful.
   It talks about opening file for inclusion, which actually
   is probably what let into confusion even you when you
   replied to this bug in the first place.  Also, the
   words "Unknown" in both sentences of the error message
   are not very helpful, too.

Thanks again,
--
Arcady Genkin
 [2003-01-18 14:44 UTC] philip@php.net 
This has been clarified in the docs:
http://cvs.php.net/cvs.php/phpdoc/en/features/safe-mode.xml

Thanks for the report :)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 23 07:01:29 2024 UTC