php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64573 Confusing open_basedir errors when parent folders are inaccessible
Submitted: 2013-04-03 03:11 UTC Modified: -
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: bradley dot will at gmail dot com Assigned:
Status: Open Package: Filesystem function related
PHP Version: 5.3.23 OS: Windows 2008
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bradley dot will at gmail dot com
New email:
PHP Version: OS:

 

 [2013-04-03 03:11 UTC] bradley dot will at gmail dot com
Description:
------------
Tested on Windows; Linux's behavior is as expected. I'm using a Plesk 
install but I think this will happen with any similar folder structure.

Basically, open_basedir or require_once give confusing error messages when 
multiple parent folders to the open_basedir have security settings which prevent 
access. 

The confusing error messages are pasted under Actual Result; "open_basedir 
restriction in effect. File() is not within the allowed path(s)" is the first 
error seen, which is an incorrect error; the file IS within the allowed path. 
Only the second error message, Operation not permitted, is somewhat accurate. 
However it is still suboptimal compared to the other error condition:


When only the open_basedir itself (and not its parent folder) has security 
settings which prevent access, the error message is what I would expect.

The expected error message is pasted under Expected Result; "Permission denied" 
is the appropriate error to use when file/folder permissions are preventing 
access to a file or folder, not "operation not permitted."

Test script:
---------------
<?php
// First, ensure that the Plesk, Additional, PleskPHP5, and PEAR folder (and its contents, including the MDB2.php file) all have their Windows security settings such that the PHP user CANNOT read or list the contents (i.e. readable to admins only.) Then ensure that open_basedir includes the path to the file (C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\PEAR\). Then run this script, note the output, and click the "try opening file" link at the bottom, and note the output.
// Second, grant permissions to read and list all folders, EXCEPT for the PEAR folder (and its contents, including the MDB2.php file.) Run this script and note outputs.
// Finally, grant permissions to read and list all folders including the PEAR folder and the MDB2.php file. Run this script and note outputs.

echo "<pre>";
echo shell_exec("whoami")."-------------------------------------------\n";
echo htmlentities(shell_exec("cd C:\Program Files (x86)\Parallels\ && dir"))."-------------------------------------------\n";
echo htmlentities(shell_exec("cd C:\Program Files (x86)\Parallels\Plesk\ && dir"))."-------------------------------------------\n";
echo htmlentities(shell_exec("cd C:\Program Files (x86)\Parallels\Plesk\Additional\ && dir"))."-------------------------------------------\n";
echo htmlentities(shell_exec("cd C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\ && dir"))."-------------------------------------------\n";
echo htmlentities(shell_exec("cd C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\PEAR\ && dir"))."-------------------------------------------\n";
if(isset($_GET["open"])){
	if(require_once('C:\Program Files (x86)\Parallels\Plesk\Additional\PleskPHP5\PEAR\MDB2.php')){
	  echo "OPENED\n";	}
	else {	  echo "FAILED TO OPEN\n";	} }
echo '<a href="?open=true">Try opening file</a>';
echo "</pre>";

Expected result:
----------------
When any file/folder security setting causes the file to be inaccessible:

PHP Warning:  require_once(C:\Program Files 
(x86)\Parallels\Plesk\Additional\PleskPHP5\PEAR\MDB2.php): failed to open stream: 
Permission denied in 
C:\inetpub\vhosts\server.example.net\site.example.net\siteControllerCommon\test.p
hp on line 16
PHP Fatal error:  require_once(): Failed opening required 'C:\Program Files 
(x86)\Parallels\Plesk\Additional\PleskPHP5\PEAR\MDB2.php' 
(include_path='.;./includes;./pear') in 
C:\inetpub\vhosts\server.example.net\site.example.net\siteControllerCommon\test.p
hp on line 16

Actual result:
--------------
When the Additional (including PleskPHP5 folder by inheritance) AND PEAR folders 
are inaccessible to the user:

PHP Warning:  require_once(): open_basedir restriction in effect. 
File(C:/Program Files (x86)/Parallels/Plesk/Additional/PleskPHP5/PEAR/MDB2.php) 
is not within the allowed path(s): 
(C:/Inetpub/vhosts/server.example.net\;C:\Windows\Temp\;C:\Program Files 
(x86)\Parallels\Plesk\Additional\PleskPHP5\PEAR\) in 
C:\inetpub\vhosts\server.example.net\site.example.net\test.php on line 2
PHP Warning:  require_once(C:/Program Files 
(x86)/Parallels/Plesk/Additional/PleskPHP5/PEAR/MDB2.php): failed to open 
stream: Operation not permitted in 
C:\inetpub\vhosts\server.example.net\site.example.net\test.php on line 2
PHP Fatal error:  require_once(): Failed opening required 'C:/Program Files 
(x86)/Parallels/Plesk/Additional/PleskPHP5/PEAR/MDB2.php' 
(include_path='.;./includes;./pear') in 
C:\inetpub\vhosts\server.example.net\site.example.net\test.php on line 2

When only the PEAR folder is inaccessible to the user:

PHP Warning:  require_once(C:\Program Files 
(x86)\Parallels\Plesk\Additional\PleskPHP5\PEAR\MDB2.php): failed to open 
stream: Permission denied in 
C:\inetpub\vhosts\server.example.net\site.example.net\siteControllerCommon\test.
php on line 16
PHP Fatal error:  require_once(): Failed opening required 'C:\Program Files 
(x86)\Parallels\Plesk\Additional\PleskPHP5\PEAR\MDB2.php' 
(include_path='.;./includes;./pear') in 
C:\inetpub\vhosts\server.example.net\site.example.net\siteControllerCommon\test.
php on line 16

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-04-03 20:16 UTC] mail+php at requinix dot net
Ah, I remember this bug. The overall problem is that the file access fails and 
calling code assumes the reason is an open_basedir restriction.

See also:
- bug 44901 (file does not exist)
- bug 52065 and bug 53041 (accessing "foo/bar" where foo is an existing *file*)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 23:01:29 2024 UTC