php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #21975 document safe_mode/open_basedir gotchas
Submitted: 2003-01-30 21:41 UTC Modified: 2006-01-19 16:45 UTC
Votes:7
Avg. Score:4.4 ± 0.5
Reproduced:6 of 6 (100.0%)
Same Version:3 (50.0%)
Same OS:2 (33.3%)
From: philip at cornado dot com Assigned:
Status: Closed Package: Documentation problem
PHP Version: Irrelevant OS: Irrelevant
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: philip at cornado dot com
New email:
PHP Version: OS:

 

 [2003-01-30 21:41 UTC] philip at cornado dot com 
This bug report is where we list quirks, concerns, BC breaks, uses, and general gotchas that stem from either safe mode or open_basedir.  Information that everyone from sysadmin's to newbie users should know.

For example, a potential safe_mode gotcha:

  - As of PHP 4.3.0, the PHP_AUTH_* variables are NOT
    available in PHP when both an external auth mechanism
    exists and PHP is in safe mode.  Note: REMOTE_USER is
    available regardless.

There are others that belong in this bug report and eventually in the docs.  Regarding open_basedir, there is a recent (4.3.0) PHP change regarding both upload_dir and include_path but I'm not sure what they are exactly ...  hopefully this bug report will know soon ;)  And there are others.

open_basedir and safe mode are documented here:
  - phpdoc/{lang}/features/safe-mode.xml

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-17 20:01 UTC] moron at industrial dot org 
It appears that move_uploaded_file() is either broken with 4.3.1 
or its behaviour radically changed under safe_mode.  All of a 
sudden file uploads are now failing with "open_basedir" 
restriction errors (kind of defeating the purpose of 
move_uploaded_file IMHO).  Some clarification on this issue 
would be definitely appreciated.

Cheers
 [2003-05-14 07:31 UTC] nickyboy at 4ce dot co dot uk 
Following an upgrade from 4.0.6 is seems that open_basedir and move_uploaded_file no longer resolve symlinks.  
Previously the scripts worked with no problem, but we've just had to update httpd.conf so the
php_admin_value open_basedir 
is now the real path rather than a symlink...

The documentation for open_basedir states:
http://www.php.net/manual/sl/features.safe-mode.php
"All symbolic links are resolved"

There is a user comment on move_file_upload but there is no formal documentation for this!  I'm guessing it's a bug rather than new behaviour, or the documentation needs a look...  

This is however a different issue from bug 21885
and that maybe worth a look first if you are getting errors mentioning the /tmp  directory!
 [2003-09-10 09:11 UTC] tim at timj dot co dot uk 
As noted in bug 13843, all program execution functions pass the complete command that is about to be executed to the internal equivalent of escapeshellcmd() before executing, when in safe mode.

This is a very important gotcha which doesn't appear to be documented anywhere; it should be documented on the manual page for each program execution function, and also in "Features -> Safe Mode -> Functions restricted/disabled by safe mode".
 [2004-07-27 19:26 UTC] vrana@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

Continue with listing, I just documented escapeshellcmd.

"escapeshellcmd() is executed on the argument of this function." by all exec functions restricted by safe_mode.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 21:00:02 2025 UTC