PHP :: Bug #23956 :: fopen cannot write in include-path

Bug #23956	fopen cannot write in include-path
Submitted:	2003-06-02 08:19 UTC	Modified:	2003-06-02 14:18 UTC
From:	markus at scherner dot de	Assigned:
Status:	Not a bug	Package:	Filesystem function related
PHP Version:	4.3.2	OS:	win nt, win xp, unix
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	markus at scherner dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2003-06-02 08:19 UTC] markus at scherner dot de

Hey everybody.
Today updated php on my local system (win nt) from 4.3.0 to 4.3.2. Now the function fopen() gives me an error, when I will write a file within the include path. In the version before, this error does not exist.

I am using following syntax:

$fp = fopen($maildir.$localmaildir.microstamp().'_'.$email.'.txt',"w",1);


remark for you: 
the include-path is set before to a path outside the htdocs-dir. The command fopen (see above) is called from a function which is included within the script, the var $maildir.$localmaildir is a dir within the includedir and all works fine until the update, so it must be a bug (or it was a bug before and I lived with the bug as well :-) ).

The error output is:
fopen(mail/localmail/105455483215927000_test@test.de.txt): failed to open stream: No such file or directory in c:\www\casyincs\functions.php on line 1182 

The pathes are:
www\casyincs (include dir)

www\casyincs\functions.php (includefile with the command)

www\casyincs\mail\localmail (in this dir have to be saved the file

www\htdocs\index.php (web-directory with executing script)

Hoping for an answer, 
best regards and thankyou for a wonderfull powerfull programming language!!!

best regards
Markus

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-06-02 09:33 UTC] wez@php.net

writing to a file in the include path will give undefined results and is a potential security risk.

As such we do not support it, and you might find that attempting to use fopen() in this way will raise a warning in PHP 5.

[2003-06-02 12:54 UTC] markus at scherner dot de

I know this very well and I use the function in this example only for own testings which are not official assignable. When it is so risky that way you mean, why is the parameter [in include path] supported for this function? And more, why does it work in 4.3.0 and not in 4.3.2 ?

[2003-06-02 13:18 UTC] pollita@php.net

#1) The path you are attempting to write does not (probably anyway) exist. Here's why:

You pass: "mail/localmail/105455483215927000_test@test.de.txt" to fopen and tell it to write in the include path.

The include path includes, among other locations: /www/casyincs/mail/localmail

Adding the includepath to the file requested gives:

/www/casyincs/mail/localmail/mail/localmail/105455483215927000_test@test.de.txt

Notice how the file provided to fopen is seen as a relative path to the include path. So of course it can't write to the file, the directory /www/casyincs/mail/localmail/mail/localmail doesn't exist. None of the other path locations leads to a legitimate location either so the write fails.

#2) For boolean options, try to use TRUE rather than merely a value which evaluates to true.

#3) Using the include path with a write is supported because there could be legitimate uses for it (though essoteric ones). It is however, discouraged because it becomes very easy for the unwary programmer to create a situation wherein system files are overwritten because one of the included paths matches the path passed to fopen and consequently system files are overwritten. Now, imagine a malicious user finding such a vulnerability in your code, he submits data which results in a PEAR class being overwritten with code which, in turn, compromises the integrity of your system as a whole.

In general, because you already know the path where you want to create your file, using the include_path option only serves to expose you to unpredictable behavior (as you've already seen) without adding to your functionality.

That said, your script probably worked earlier, not because of the version, but because you had '.' (current directory)included in your path.

[2003-06-02 14:18 UTC] markus at scherner dot de

Thanx for your fast answer.
#1) Include path is www/casyincs, not more. I
pass fopen() the path "mail/localmail/file" so that
the files must be written into the dir:
www/casyincs/mail/localmail/file

I have nothing changed in this script before updating to 4.3.2 so i am wondering what my fault will be.
You are defenitly right regarding the insecurity with writing within the include path, no question.
Nevertheless, what has changed in the new version now regarding this item? (Sorry, but I do not understand what my fault is, and sorry for my english :-) )

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2026 The PHP Group All rights reserved.	Last updated: Thu Feb 05 21:00:02 2026 UTC