php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #53263 Allow realpath cache to function even with open_basedir enabled
Submitted: 2010-11-08 14:17 UTC Modified: 2019-11-14 15:34 UTC
Votes:29
Avg. Score:3.6 ± 1.0
Reproduced:10 of 15 (66.7%)
Same Version:0 (0.0%)
Same OS:6 (60.0%)
From: tomsommer@php.net Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 5.3.3 OS: *
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: tomsommer@php.net
New email:
PHP Version: OS:

 

 [2010-11-08 14:17 UTC] tomsommer@php.net 
Description:
------------
As described in bug #52312 - realpath cache is disabled when open_basedir is enabled. Would it be possible to either:

1) Fix the security problem related to having both enabled at the same time
2) Add a php.ini or ./configure toggle to enable both at the same time, overriding the security aspect in order to gain performance.

Thanks

Patches

asdf (last revision 2023-03-13 17:08 UTC by jose dot lainez at se dot gob dot hn)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-08 17:44 UTC] rasmus@php.net 
I don't think the security problem is fixable.  We have no way to prevent the contents behind a cache entry from changing which is the root of the security problem.  And I don't see the point in open_basedir if you remove the security aspect.  The less secure toggle is to simply turn off open_basedir.  An open_basedir feature that doesn't actually guarantee that users can't open files outside of the specified base directory isn't useful.
 [2019-11-14 11:38 UTC] michael dot vorisek at email dot cz 
Is the cache issue related only when the PHP process is resused for multiple requests with different open_basedir values?

If yes, an extra switch makes 100% sense. The security is 100% kept and realpath cache will be available which makes up too 10x the performace on Windows with file heavy scripts.
 [2019-11-14 15:34 UTC] requinix@php.net
-Status: Open +Status: Wont fix
 [2019-11-14 15:34 UTC] requinix@php.net 
@michael: It applies to one request as well as it does multiple requests. One script could, during its lifetime, create and resolve a symlink to a path within open_basedir, then redirect that symlink to a path outside it.

In the interests of having one fewer open tickets regarding open_basedir performance, and since #52312 is still open, I'm going to wontfix this per @rasmus's comment.
 [2019-11-14 15:38 UTC] retertertert at fgfgfg dot com 
> One script could, during its lifetime, create and 
> resolve a symlink to a path within open_basedir, 
> then redirect that symlink to a path outside it

i wonder how it will do that with disable_functions="symlink" which is global and known at startup and with all exec&freinds also in disbale_functions
 [2019-11-14 15:42 UTC] retertertert at fgfgfg dot com 
and if you don't want to implement that check give sensile people which know their environment a ini-option instead disable the realpath cache *hardcoded* based on another ini-option with no chance to say "dear php runtime: look i disabled the race-condition with symlinks and hence the cache is fine, use it"

or fix symlink() to now allow "then redirect that symlink to a path outside it" which would close the issue where it happens instead work around it
 [2020-09-01 10:59 UTC] fuco809 at gmail dot com 
https://github.com/Whissi/realpath_turbo

why such a soltion can not be integrated as option in php core?
 [2023-03-13 17:08 UTC] jose dot lainez at se dot gob dot hn 
The following patch has been added/updated:

Patch Name: asdf
Revision:   1678727334
URL:        https://bugs.php.net/patch-display.php?bug=53263&patch=asdf&revision=1678727334
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Mar 11 19:01:31 2025 UTC