PHP :: Bug #15547 :: tempnam() bypasses security

Bug #15547	tempnam() bypasses security
Submitted:	2002-02-14 02:18 UTC	Modified:	2005-01-31 23:13 UTC
From:	temisu at utu dot fi	Assigned:
Status:	Closed	Package:	Safe Mode/open_basedir
PHP Version:	4.0.6	OS:	Linux(RedHat 7.1)
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	temisu at utu dot fi
New email:
PHP Version:		OS:

New Comment:

[2002-02-14 02:18 UTC] temisu at utu dot fi

tempnam() function bypasses open_basedir directive
set by php.ini

This can be seen f.e. by following code:

$tfile=tempnam("/tmp","foobar"); 
// this is a success regardless of a open_basedir setting
$fp=fopen($tfile,"w")
// file is already created but fopen() fails if 
// open_basedir is set, but not to include /tmp

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-02-15 13:08 UTC] sander@php.net

Are you sure safe-mode is enabled?

[2002-02-18 01:44 UTC] temisu at utu dot fi

> Are you sure safe-mode is enabled?

No it is not. open_basedir seems to be independent directive
without connection to the safe-mode (Atleast, the directory 
restrictions work on other file-operations but not tempnam)

The following is example what triggered this in my code. 

php.ini has open_basedir=/www/htdocs and safe_mode= off

The working code...

$tfile=tempnam("/www/htdocs/tmp","foobar");
// success if /www/htdocs/tmp/ exists and is writable
// directory
$fp=fopen($tfile,"w");
// opens the file.

The initial version, which does not care about the
open_basedir...

$tfile=tempnam("/tmp","foobar");
// creates the temp-file.
$fp=fopen($tfile,"w");
// tries to open the file but does not succeed because of
// the open_basedir setting!
//
// Because (any other) file operations cannot be used on /tmp
// this code clutters the /tmp directory with zerobyte
// temp-files.

[2002-02-18 10:20 UTC] sander@php.net

AFAIK, open_basedir restrictions only _work_ when having safe_mode ON.

[2002-02-19 01:10 UTC] temisu at utu dot fi

document

http://www.php.net/manual/en/features.safe-mode.php

says that

If instead of safe_mode, you set an open_basedir directory 
   ^^^^^^^
then all file operations will be limited to files under the specified directory For example (Apache httpd.conf example):

[2002-02-20 15:37 UTC] rasmus@php.net

open_basedir is completely separate from safe_mode so this is actually a bug.

[2002-07-02 02:17 UTC] derick@php.net

This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

[2002-07-14 06:04 UTC] shane at aaatechnologiesaus dot net

open_basedir =/var/vhosts/sites:/tmp/

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jan 05 03:01:28 2025 UTC