php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53398 Latest open_basedir() changes break accessing files in subdirs
Submitted: 2010-11-24 16:01 UTC Modified: 2010-11-24 16:23 UTC
From: info at glsys dot eu Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.3.3 OS: Debian
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: info at glsys dot eu
New email:
PHP Version: OS:

 

 [2010-11-24 16:01 UTC] info at glsys dot eu 
Description:
------------
Hi!

Real PHP version: Debian unstable 5.3.3-4
Apache2: Debian 2.2.16-4 mpm-prefork
Safe_mode: off


As the changelog says:
+ possible flaw in open_basedir (CVE-2010-3436)

After this upgrade I can not include/open files if they are in an open_basedir subdirectory.

One more interesting thing:

My Virtualhost system is located under /data/www.
I had a symlink at /var/www pointing to /data/www.

After this upgrade the I had issues whit open_basedir if I used /var/www.

Maybe it is related to the subdir issue.

Swifty

Actual result:
--------------
[Wed Nov 24 15:04:44 2010] [error] [client w.x.y.z] PHP Warning:  Unknown: open_basedir restriction in effect. File(/data/www/include/modules/img.php) is not within the allowed path(s): (/data/www/!Admin/:/data/www/!Error/:/data/www/include/:/data/www/sites/some.domain/) in Unknown on line 0, referer: http://some.domain/index.php
[Wed Nov 24 15:04:44 2010] [error] [client w.x.y.z] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0, referer: http://some.domain/index.php
[Wed Nov 24 15:04:44 2010] [error] [client w.x.y.z] PHP Fatal error:  Unknown: Failed opening required '/var/www/include/modules/img.php' (include_path='.:/usr/share/php:/data/www/include') in Unknown on line 0, referer: http://some.domain/index.php

[Wed Nov 24 15:06:05 2010] [error] [client w.x.y.z] PHP Warning:  filemtime() [http://www.php.net/en/manual/function.filemtime.php]: stat failed for /data/www/sites/some.domain/modules/img.php in /data/www/include/modules/ob.cache.php on line 28, referer: http://some.domain/index.php

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-24 16:10 UTC] info at glsys dot eu
-Package: Security related +Package: Safe Mode/open_basedir
 [2010-11-24 16:10 UTC] info at glsys dot eu 
Sorry :D
Changed from Security to Safe Mode/open_basedir... :D

Swifty
 [2010-11-24 16:23 UTC] pajoye@php.net
-Status: Open +Status: Bogus
 [2010-11-24 16:23 UTC] pajoye@php.net 
Already reported and fixed in SVN. However this fix was never released (applied in 5.3.4RC, Deb should update their patch.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 19:01:35 2025 UTC