PHP :: Bug #38963 :: tempnam bypasses open

Bug #38963	tempnam bypasses open_basedir
Submitted:	2006-09-26 15:19 UTC	Modified:	2006-09-27 23:45 UTC
From:	manuel at mausz dot at	Assigned:	iliaa (profile)
Status:	Closed	Package:	Filesystem function related
PHP Version:	4.4.4	OS:	Linux/Gentoo
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	manuel at mausz dot at
New email:
PHP Version:		OS:

New Comment:

[2006-09-26 15:19 UTC] manuel at mausz dot at

Description:
------------
tempnam bypasses open_basedir if dir = false

Reproduce code:
---------------
<?php $tempfile = tempnam(false, "phptest"); ?>

Expected result:
----------------
Warning: tempnam() [function.tempnam]: open_basedir restriction in effect. File(/tmp) is not within the allowed path(s): (...) in

Actual result:
--------------
# ls /tmp/phptest*
/tmp/phptestt4mIOa

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-09-26 15:30 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php4-STABLE-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php4-win32-STABLE-latest.zip

Cannot reproduce:

# ./sapi/cli/php -r 'var_dump(tempnam(false, "temp"));'

Warning: tempnam(): open_basedir restriction in effect. File() is not within the allowed path(s): (/www) in Command line code on line 1
bool(false)

[2006-09-26 15:58 UTC] manuel at mausz dot at

Please try using mod_php. Using the client also don't work for me.

Oh and just to be sure:
- tried with safe_mode on + off
- open_basedir does _not_ include /tmp ;)

[2006-09-26 16:03 UTC] tony2001@php.net

Make sure your phpinfo() display the expected value of open_basedir. Turn on display_errors etc.
It doesn't depend on the server API in any way.

[2006-09-26 18:45 UTC] manuel at mausz dot at

Ok, here is the detailed problem:

If tempnam() will be called with an empty string, expand_filepath() (called from php_check_specific_open_basedir()) will expand this string to cwd. The cwd is most probably in open_basedir, so php_check_specific_open_basedir succeeds.
tempnam() will then call php_open_temporary_file() which includes an fallback to php_get_temporary_directory(). 

In most apache setups, php is not able to write to the cwd (cause of safe_mode), so php_open_temporary_file() will fallback. This is not the case when using client, so php -d open_basedir=`pwd` -r 'var_dump(tempnam(false, "temp"));'
 works.

[2006-09-27 23:45 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 08:01:28 2024 UTC