php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #27160 open_basedir contains "." but script fails to include "./dir/file.txt"
Submitted: 2004-02-05 11:42 UTC Modified: 2004-02-09 20:08 UTC
From: bjorn dot wiberg at home dot se Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 5CVS-2004-02-06 OS: Debian GNU/Linux 3.0r2 (mixed)
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bjorn dot wiberg at home dot se
New email:
PHP Version: OS:

 

 [2004-02-05 11:42 UTC] bjorn dot wiberg at home dot se 
Description:
------------
Using PHP for a virtual host, with open_basedir set to "." (a dot).

When running a script that includes files in subdirectories relative to the script on the form "./dir/file.inc", those files fail to get included, and the error log says that those files are not withing the allowed path.

Even though the open_basedir documentation says that "." should allow files in the current directory *and subdirectories* to be included.

Setting open_basedir to include "./" fixes the problem.

(I've now started to include ".:./" in my open_basedir to be on the "safe" side...)


NOTE: This is not the same thing as bug #14396 (http://bugs.php.net/bug.php?id=14396) as I'm not using safe mode, and don't get the "wrong directory error" but instead the "is not within the allowed path(s)" error.

SIDENOTE: Bug #26310 (http://bugs.php.net/bug.php?id=26310) has a very odd comment at the end; why would "./" be almost the same thing as not setting any open_basedir restrictions at all? I would say that "/" would be the same thing as not setting it at all, but not "./"...

Reproduce code:
---------------
I'm using phpMyAdmin 2.5.5-pl1 from:
http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.5.5-pl1.tar.gz?download

...together with Apache 2.0.48-7 (apache2-mpm-worker, apache2-common, apache2-doc Debian packages) and PHP 5.0.0b3 as an Apache 2 SAPI module.

At the moment I'm not running PHP in safe mode.

I'm also more or less using the standard PHP config of php.ini-recommended, also locking some of its values with php_admin_value and php_admin_flag in main server config.

Overriding doc_root, max_execution_time, memory_limit, open_basedir and safe_mode_exec_dir (a remainder from the time when I used safe mode) for each virtual host.

Expected result:
----------------
No errors should appear in the Apache error log. The inclusion of files from the script should work.

"." as open_basedir ought to allow inclusion both of files in the same directory as the script (i.e. include "file.txt" AND "./file.txt") and subdirectories (i.e. include "directory/file.txt" -- at least if "." is also in the include_path -- AND "./directory/file.txt").

Actual result:
--------------
WITH OPEN_BASEDIR SET TO ".":

[client 81.224.231.55] PHP Fatal error:  main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/
[client 81.224.231.55] PHP Warning:  main(): open_basedir restriction in effect. File(./libraries/grab_globals.lib.php) is not within the allowed path(s): (.) in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/queryframe.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Warning:  main(./libraries/grab_globals.lib.php): failed to open stream: Operation not permitted in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/queryframe.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Fatal error:  main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/queryframe.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Warning:  main(): open_basedir restriction in effect. File(./libraries/grab_globals.lib.php) is not within the allowed path(s): (.) in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/left.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Warning:  main(./libraries/grab_globals.lib.php): failed to open stream: Operation not permitted in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/left.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Fatal error:  main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/left.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Warning:  main(): open_basedir restriction in effect. File(./libraries/grab_globals.lib.php) is not within the allowed path(s): (.) in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/main.php?lang=sv-iso-8859-1&server=1
[client 81.224.231.55] PHP Warning:  main(./libraries/grab_globals.lib.php): failed to open stream: Operation not permitted in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/main.php?lang=sv-iso-8859-1&server=1
[client 81.224.231.55] PHP Fatal error:  main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/main.php?lang=sv-iso-8859-1&server=1


WITH OPEN_BASEDIR SET TO "./":

[Thu Feb 05 17:08:00 2004] [notice] SIGUSR1 received.  Doing graceful restart
[Thu Feb 05 17:08:00 2004] [notice] Digest: generating secret for digest authentication ...
[Thu Feb 05 17:08:00 2004] [notice] Digest: done
[Thu Feb 05 17:08:00 2004] [notice] Apache configured -- resuming normal operations

(That is, no errors appear.)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-06 11:18 UTC] sniper@php.net 
I can not reproduce this. Try with CLI.
 [2004-02-06 14:10 UTC] bjorn dot wiberg at home dot se 
(The version is 2004-02-06 10:30, not 2004-02-05.)

Tried with open_basedir = "." and all error logging enabled with the CLI version. No errors.

Just to make sure that the CLI version was obeying the open_basedir directive, I tried changing it to a completely differemt directory (where the script isn't located) and then open_basedir errors were shown.

So it seems I cannot reproduce the error with the CLI version -- it only appears in the PHP SAPI version.

Any suggestions (other than including "./" in open_basedir as a work-around)?

Best regards,
Bj?rn
 [2004-02-09 19:17 UTC] iliaa@php.net 
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Using "." or "./" is a really bad idea for a SAPI like 
Apache 2, since it is very likely that the current 
directory is not what you think it is. The underlying code 
for figuring out open_basedir is identical in both CLI and 
Apache 2 sapi.
 [2004-02-09 20:08 UTC] bjorn dot wiberg at home dot se 
Hi!

I once again read the safe mode sections (where open_basedir is described), but I'm afraid that doesn't explain why "." and/or "./" is a bad idea in the Apache 2 SAPI, or why the current directory isn't what I think it is. Would you please elaborate on this?

Thanks in advance!

Best regards,
Bj?rn
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 01:01:30 2024 UTC