PHP :: Doc Bug #7187 :: open_basedir is broken! Security alert!

Doc Bug #7187	open_basedir is broken! Security alert!
Submitted:	2000-10-13 11:52 UTC	Modified:	2001-06-20 22:33 UTC
From:	dron at usa dot net	Assigned:
Status:	Closed	Package:	Documentation problem
PHP Version:	4.0.3	OS:	Linux 2.0.38 libc5
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2000-10-13 11:52 UTC] dron at usa dot net

open_basedir is broken in 4.03 release!!! It is not working like in 4.02..
I used 
php_value open_basedir '.'
in 4.02 to restrict some virtual servers in apache to access external files, but after upgrading to version 4.03 it is allow to access any file in filesystem. 
Running apache 1.3.12 and php as a dynamic module.
Any hotfix?

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-10-13 12:01 UTC] dron at usa dot net

open_basedir is broken in 4.03 release!!! It is not working like in 4.02..
I used 
php_value open_basedir '.'
in 4.02 to restrict some virtual servers in apache to access external files, but after
upgrading to version 4.03 it is allow to access any file in filesystem. 
Running apache 1.3.12 and php as a dynamic module.
Any hotfix?

it MAY be connected with a Bug id #7175.
Please fix as soon as possible!

[2000-10-13 12:20 UTC] andi@php.net

You should be using full path with the open_basedir directive as far as I know. Can you please try and let us know of the results?

[2000-10-13 12:27 UTC] dron at usa dot net

http://www.php.net/manual/configuration.php
----
open_basedir string
Limit the files that can be opened by PHP to the specified directory-tree. 

When a script tries to open a file with, for example, fopen or gzopen, the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. 

The special value . indicates that the directory in which the script is stored will be used as base-directory
---

I don't need full path - i want to restrict users from accessing files in upperlevel directories.


as Mr. Zeev Suraski said:
It's not related to open_basedir, there's a problem in the php_value system in 4.0.3.

[2000-10-15 17:09 UTC] sniper@php.net

Should be fixed in php4.03pl1.

--Jani

[2000-10-16 08:04 UTC] dron at usa dot net

Fixed in php4.03pl1.

i should use 
php_admin_value open_basedir '.'
instead of
php_value open_basedir '.'

Please make it clear in manual.

[2000-10-16 08:19 UTC] sniper@php.net

Reclassified as documentation problem. 

On page:
http://www.php.net/manual/configuration.php

The directives should be somehow grouped better
to see e.g. which ones can be changed with php_value
and which are only changeable with php_admin_value.

--Jani

[2001-06-20 22:33 UTC] danbeck@php.net

I'm closing this and re-opening a more detailed bug report.  This is only indirectly related to open_basedir now.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 26 02:01:29 2024 UTC