php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #31309 open_basedir restrictions do not work on symlinks
Submitted: 2004-12-27 12:30 UTC Modified: 2007-06-19 22:23 UTC
Votes:6
Avg. Score:4.8 ± 0.4
Reproduced:6 of 6 (100.0%)
Same Version:3 (50.0%)
Same OS:3 (50.0%)
From: frido at isp-services dot nl Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5CVS, 4CVS (2005-01-20) OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: frido at isp-services dot nl
New email:
PHP Version: OS:

 

 [2004-12-27 12:30 UTC] frido at isp-services dot nl 
Description:
------------
We currently define in our apache vhost the following doc_root:

php_admin_value open_basedir "/home/sites/site7/:/home/sites/www.sjeemz.be/:/usr/lib/php/:
/tmp:/home/sites/general"

Where site7 is a real directory and sjeemz.be is a symlink, when we use the symlink as a directory to safe to:

http://www.sjeemz.be/upload/index.php

this creates an error, while the symlink is in the open_basedir.


Reproduce code:
---------------
http://www.sjeemz.be/upload/index.phps

Expected result:
----------------
"When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink."

the symlink is not resolved to site7 in example above.


Actual result:
--------------
Warning: move_uploaded_file(): open_basedir restriction in effect. File(/home/sites/symlink/web/uploads/chenbro_aug.sxc) is not within the allowed path(s): (/home/sites/symlink/web) in /home/sites/test/web/index.php on line 16
There was an error whilst uploading the file.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-20 23:50 UTC] phpdotnet at sjeemz dot nl 
problem also exists in PHP 5.0.3 on RedHat 7.3
 [2005-01-20 23:54 UTC] frido at isp-services dot nl 
still the same problem, for our configuration see: http://www.sjeemz.be/upload/phpinfo.php
 [2006-06-20 13:36 UTC] frido at isp-services dot nl 
still the same problem on 4.4.2, is this still considered as a defect ?
 [2006-07-22 12:29 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip
 [2006-07-30 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2006-08-10 11:24 UTC] frido at isp-services dot nl 
Still exists in latest cvs php5.2-200608100830 / PHP Version 5.2.0RC2-dev


Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/home/sites/www.sjeemz.be/web/files/moz-screenshot.jpg) is not within the allowed path(s): (/home/sites/site144:/home/sites/www.sjeemz.be:/usr/lib/php:/usr/share/php:/tmp:/home/sites/general) in /home/sites/site144/web/upload/uploader.php on line 6
There was an error uploading the file, please try again!
 [2007-01-10 22:57 UTC] iliaa@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip
 [2007-01-18 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2007-06-19 22:18 UTC] jorn at isp-services dot nl 
Seems to be fixed in PHP 5.2.3.
 [2007-06-19 22:23 UTC] frido at isp-services dot nl 
Fixed in PHP 5.2.3
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 09 02:01:30 2025 UTC