php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #63904 open_basedir is not respected for .user.ini files
Submitted: 2013-01-04 16:01 UTC Modified: 2021-07-12 17:23 UTC
From: lekensteyn at gmail dot com Assigned:
Status: Open Package: Safe Mode/open_basedir
PHP Version: 5.4.10 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lekensteyn at gmail dot com
New email:
PHP Version: OS:

 

 [2013-01-04 16:01 UTC] lekensteyn at gmail dot com 
Description:
------------
(this bug possibly applies to the CGI SAPI too, but I have not checked that.)

In a default configuration for PHP-FPM, the use of .user.ini files is enabled. This feature allows you to put .user.ini interleaved with PHP files.

There is a possibility to bypass open_basedir restrictions by using symlinks. For a given open_basedir = /foo/, a symlink /foo/.user.ini -> /bar/php.ini can be used to read the configuration of /bar/php.ini.

It does not look like a feature, at first I wanted to have a .user.ini just outside the webroot (e.g. web/.user.ini with DOCUMENT_ROOT web/public_html), but having the symlink defeats the advantage of putting it outside the webroot for privacy. (ignoring WWW server abilities to restrict access). Therefore, it must be a bug that open_basedir is not respected for .user.ini files.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-12 15:39 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2021-07-12 15:39 UTC] cmb@php.net 
open_basedir bypasses are not considered to be security issues;
cf. <https://externals.io/message/105606>
and <https://externals.io/message/115406>.
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Tue Mar 31 10:00:02 2026 UTC