PHP :: Bug #41518 :: file_exists() warns of open_basedir restriction on non-existent file

Bug #41518

file_exists() warns of open_basedir restriction on non-existent file

Submitted:

2007-05-28 13:38 UTC

Modified:

2007-07-03 07:05 UTC

Votes:	8
Avg. Score:	4.4 ± 0.5
Reproduced:	5 of 6 (83.3%)
Same Version:	3 (60.0%)
Same OS:	4 (80.0%)

From:

ruben dot willmes at emil2001 dot de

Assigned:

tony2001 (profile)

Status:

Closed

Package:

Safe Mode/open_basedir

PHP Version:

5.2.2

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ruben dot willmes at emil2001 dot de
New email:
PHP Version:		OS:

New Comment:

[2007-05-28 13:38 UTC] ruben dot willmes at emil2001 dot de

Description:
------------
If open_basedir is active, file_exists(), as well as is_dir() and 
is_file(), throw an open_basedir warning if you check a non-existent 
file in a directory mentioned in the open_basedir configuration. The 
directories used in this case aren't symlinks.

The following example describes the situation with is_file(), but you'll 
get the same result with is_dir() and file_exists().

For a reference please see Bug #24313 
http://bugs.php.net/bug.php?id=24313

Sorry if this is a dub, but i didn't found any bugs referring to the 
actual PHP version

Reproduce code:
---------------
if (is_file('/var/www/localhost/htdocs/index.phph')) {
        print "File exists";
} else {
        print "File does not exist";
}


Expected result:
----------------
is_file should return a FALSE and you should read "File does not exist".

Actual result:
--------------
In addition to "File does not exist", you'll get a warning that 
open_basedir restriction is in effect:

Warning: is_file() [function.is-file]: open_basedir restriction in 
effect. File(/var/www/localhost/htdocs/index.phph) is not within the 
allowed path(s): (/var/www/localhost/htdocs/) in /var/www/localhost/
htdocs/check.php on line 3

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-05-28 22:05 UTC] xeo2001 at yahoo dot com

I have to disagree with you. 

I'v set a open base dir as /www/home/user and when i open (the by you produced code) in /www/home/user/test.php as:
<?
if (is_file('/www/home/user/index.phph')) {
 print "File exists";
}else {
 print "File does not exist";
}
?>

I just get the text "File does not exist". I think you got a problem in your server configuration?

Running system(s):
Debian 4.1
Apache 1.3.37
Php 4.4.7

[2007-05-28 22:09 UTC] xeo2001 at yahoo dot com

Ow. i forgot to mantion that the server also runs php 5 and 6. While only tested in php 4 and 5.

[2007-05-29 06:58 UTC] ruben dot willmes at emil2001 dot de

You're right, it does work correctly if i set my open_basedir to '/var/
www/localhost/htdocs' (without the trailing slash). But if i set it to 
'/var/www/localhost/htdocs/' (with the trailing slash), it doesn't work 
in my test case. Could you please try it once more setting your 
open_basedir to '/www/home/user/' (with the trailing slash)?

The system this is running on is PHP 5.2.2, with Apache 2.0.58.

thx in advance

[2007-05-29 20:39 UTC] tony2001@php.net

If we remove this warning for non-existent files, it could be possible to use file_exists() to detect which files exists (since it's perfectly legal to print this warning when the file exists).

[2007-05-30 20:20 UTC] ruben dot willmes at emil2001 dot de

Sorry, but i have to reopen this bug again.

Thx for the reply, Tony, but i don't think you understood me. 

I don't want to generally remove this error message, it's just under 
your OWN open_basedir, where you shouldn't get this message since 
you should be able to check whether the file exists under your OWN 
open_basedir, or am i wrong?

Let's make an example:

Two users, user1 and user2, both locked in their homedirs with 
open_basedir:
/home/user1/
/home/user2/

Both have one file in their directory, let's call it test.php

Now, if user1 checks whether test.php exists, he get's a true, as 
well as user2. If user1 checks user2's test.php, he'll get a false 
and an open_basedir warning since he's out of his open_basedir. 
That's correct. 

But what if user1 checks a file called test2.php under his own 
directory, /home/user1/? Should he get an open_basedir error? In my 
eyes he should only get a 'false' as the file does not exist, but no 
open_basedir warning, since he's still in his own open_basedir.

In the recent PHP5 release (5.2.2) one get's an open_basedir warning 
if you check a non-existent file under your OWN open_basedir. In a 
previous release the message was not present (i think it was 5.2.0 
or 5.2.1).

so, please reconsider this bug

[2007-05-31 11:06 UTC] tony2001@php.net

I don't think I get what you're talking about:
# ls -l /tmp/nosuch
ls: cannot access /tmp/nosuch: No such file or directory
#php -d open_basedir=/tmp -r 'var_dump(file_exists("/tmp/nosuch"));'
bool(false)

No warning whatsoever.

[2007-05-31 12:40 UTC] ruben dot willmes at emil2001 dot de

Your example is correct, that does work, but what if you change the 
following:

Instead of 

#php -d open_basedir=/tmp -r 'var_dump(file_exists("/tmp/nosuch"));'

try

#php -d open_basedir=/tmp/ -r 'var_dump(file_exists("/tmp/nosuch"));'

Notice the slash behind "open_basedir=/tmp/". With that you get

Warning: file_exists(): open_basedir restriction in effect. File(/tmp/
nosuch) is not within the allowed path(s): (/tmp/) in Command line 
code on line 1
bool(false)

[2007-06-01 00:02 UTC] phpbugs at thequod dot de

This might be related to bug #39123, where open_basedir=/tmp/ 
started to fail, as internally only "/tmp" (without trailing slash) 
got considered. (http://bugs.php.net/bug.php?id=39123)

[2007-06-18 18:41 UTC] paul at moonkhan dot org

@Ruben

Running PHP 5.2.3 on Redhat Enterprise Linux 4 I get the following:

#php -d open_basedir=/tmp -r 'var_dump(file_exists("/tmp/nosuch"));'
bool(false)

But if I switch /tmp to /tmp/ (ie, with trailing slash):

#php -d open_basedir=/tmp/ -r 'var_dump(file_exists("/tmp/nosuch"));'
PHP Warning:  file_exists(): open_basedir restriction in effect. File(/tmp/nosuch) is not within the allowed path(s): (/tmp/) in Command line code on line 1

Warning: file_exists(): open_basedir restriction in effect. File(/tmp/nosuch) is not within the allowed path(s): (/tmp/) in Command line code on line 1
bool(false)


We can eliminate this problem in our environment if we remove the trailing slashes from our open_basedir settings but that's not how open_basedir was intended to work, since trailing slashes prevent "wildcarding". For example, "/tmp" matches "/tmpfoo" and "/tmpbar" but "/tmp/" should only match, well, /tmp/.

-Paul

[2007-07-03 07:05 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Apr 02 21:01:29 2025 UTC