PHP :: Request #48548 :: file_exists() returns false on paths using ../ in middle

file_exists() returns false on paths using ../ in middle

Submitted:

2009-06-14 16:23 UTC

Modified:

2016-01-16 13:57 UTC

Votes:	7
Avg. Score:	3.7 ± 1.4
Reproduced:	5 of 6 (83.3%)
Same Version:	2 (40.0%)
Same OS:	5 (100.0%)

From:

adam at e-nition dot com

Assigned:

Status:

Not a bug

Package:

Filesystem function related

PHP Version:

5.2.9

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2009-06-14 16:23 UTC] adam at e-nition dot com

Description:
------------
The file_exists() function returns false on files that do exist but use a directory traversal in the path. Not at the start of the path, I mean in the middle of the path. (This type of path works fine on the include function)

Works fine on windows apache2.2.11 php5.2.9



Reproduce code:
---------------
(Example based on a file called 'real_file.php' being placed in a directory called 'real_dir')

$test_path = 'real_dir/fake_dir/../real_file.php',

if (file_exists($test_path)) {
    echo 'File does exist<br />';
    echo (@include($test_path)) ? 'File included' : 'File NOT included';
} else {
    echo 'File does Not exist<br />';
    echo (@include($test_path)) ? 'File included' : 'File NOT included';
}

Expected result:
----------------
File does exist
File included

Actual result:
--------------
File does NOT exist
File included

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-06-16 13:33 UTC] ben at nurfuerspam dot de

This is actually not a bug, as the path cannot be traversed on a filesystem either.
Just try it in any *nix shell for yourself:
When you call "cd fake_dir/../" you'd expect to cut off the fakepath and stay in the same directory, but you'll get a "No such file or directory" error instead as there is no fake_dir that could be resolved.

[2009-06-16 13:39 UTC] adam at e-nition dot com

I fully understand that as I have tried it, but the include and require functions manage this correctly? Seems a bit silly to be able to include a file with this type of path but not check if it exists?

Also, if this were to work this way both windows and linux setups would match - which is always nice :)

Either way thanks for looking at it.

Adam

[2010-12-20 13:17 UTC] jani@php.net

-Package: Feature/Change Request +Package: Filesystem function related

[2016-01-16 13:57 UTC] danack@php.net

-Status: Open +Status: Not a bug

[2016-01-16 13:57 UTC] danack@php.net

There does not appear to be a bug here. The behaviour is correct for the reported case....and I don't think breaking it on Windows would be appreciated.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Dec 20 14:00:02 2025 UTC