PHP :: Bug #41492 :: open_basedir bypass via readfile()

Bug #41492	open_basedir bypass via readfile()
Submitted:	2007-05-24 15:55 UTC	Modified:	2007-05-27 17:33 UTC
From:	bugs dot php dot net at chsc dot dk	Assigned:
Status:	Closed	Package:	Safe Mode/open_basedir
PHP Version:	5.2.2	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bugs dot php dot net at chsc dot dk
New email:
PHP Version:		OS:

New Comment:

[2007-05-24 15:55 UTC] bugs dot php dot net at chsc dot dk

Description:
------------
file_exists() etc. does not allow checking the existence of files outside the directories specified in open_basedir.

Appearently readfile() does *not* have this restriction and thus allows checking the existence of files anywhere in the filesystem. If realpath($filename) returns a string (i.e. not false), the file exists. This is a circumvention of the open_basedir restriction in file_exists() etc.


Reproduce code:
---------------
The following should always be true, but it isn't when $dir is outside the directories specified in open_basedir:

var_dump(file_exists($dir) === (bool) realpath($dir));

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-05-27 17:33 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 18:01:30 2024 UTC