| Bug #7187 | open_basedir is broken! Security alert! | ||||
|---|---|---|---|---|---|
| Submitted: | 13 Oct 2000 11:52am UTC | Modified: | 20 Jun 2001 10:33pm UTC | ||
| From: | dron at usa dot net | Assigned to: | |||
| Status: | Closed | Category: | Documentation problem | ||
| Version: | 4.0.3 | OS: | Linux 2.0.38 libc5 | ||
[13 Oct 2000 11:52am UTC] dron at usa dot net
[13 Oct 2000 12:01pm UTC] dron at usa dot net
open_basedir is broken in 4.03 release!!! It is not working like in 4.02.. I used php_value open_basedir '.' in 4.02 to restrict some virtual servers in apache to access external files, but after upgrading to version 4.03 it is allow to access any file in filesystem. Running apache 1.3.12 and php as a dynamic module. Any hotfix? it MAY be connected with a Bug id #7175. Please fix as soon as possible!
[13 Oct 2000 12:20pm UTC] andi@php.net
You should be using full path with the open_basedir directive as far as I know. Can you please try and let us know of the results?
[13 Oct 2000 12:27pm UTC] dron at usa dot net
http://www.php.net/manual/configuration.php ---- open_basedir string Limit the files that can be opened by PHP to the specified directory-tree. When a script tries to open a file with, for example, fopen or gzopen, the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. The special value . indicates that the directory in which the script is stored will be used as base-directory --- I don't need full path - i want to restrict users from accessing files in upperlevel directories. as Mr. Zeev Suraski said: It's not related to open_basedir, there's a problem in the php_value system in 4.0.3.
[15 Oct 2000 5:09pm UTC] sniper@php.net
Should be fixed in php4.03pl1. --Jani
[16 Oct 2000 8:04am UTC] dron at usa dot net
Fixed in php4.03pl1. i should use php_admin_value open_basedir '.' instead of php_value open_basedir '.' Please make it clear in manual.
[16 Oct 2000 8:19am UTC] sniper@php.net
Reclassified as documentation problem. On page: http://www.php.net/manual/configuration.php The directives should be somehow grouped better to see e.g. which ones can be changed with php_value and which are only changeable with php_admin_value. --Jani
[20 Jun 2001 10:33pm UTC] danbeck@php.net
I'm closing this and re-opening a more detailed bug report. This is only indirectly related to open_basedir now.
