PHP :: Bug #74171 :: unexpected open_basedir restriction warning

Bug #74171	unexpected open_basedir restriction warning
Submitted:	2017-02-26 15:02 UTC	Modified:	2017-02-26 16:57 UTC
From:	nk dot hesam+php at gmail dot com	Assigned:
Status:	Duplicate	Package:	Safe Mode/open_basedir
PHP Version:	5.6.30	OS:	OSX, Ubuntu
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	nk dot hesam+php at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2017-02-26 15:02 UTC] nk dot hesam+php at gmail dot com

Description:
------------
very similar to Bug #41518 [https://bugs.php.net/bug.php?id=41518], but happening in a much narrower case.
consider following file structure exists:
- parent
 - folder1
  - image2.jpg
 - file.txt

with open_basedir enabled, consider one tries to perform file_exists($filename) with $filename within the permitted paths. three cases are presented:

- $filename = 'path/to/parent/folder1/image.jpg'
    file does not exists but the containing folder (folder1) does. file_exists() returns false as expected.

- $filename = 'path/to/parent/folder2/image.jpg'
    neither file nor it's containing folder (folder2) do not exist. file_exists() returns false as expected.

- $filename = 'path/to/parent/file.txt/image.jpg'
    the target file (image.jpg) does not exist but there is a file named file.txt, in this case when file_exists() tries to look into file.txt (it assumes it's a folder) an open_basedir restriction warning arises. file_exists() still returns false.

same thing happens with is_file and is_dir functions.
I've checked it on PHP 5.6.30 and 7.0.12 and same thing happens on both versions.


Test script:
---------------
ini_set('open_basedir', 'path/to/parent');

file_exists('path/to/parent/folder1/image.jpg'); // returns false
file_exists('path/to/parent/folder2/image.jpg'); // returns false
file_exists('path/to/parent/file.txt/image.jpg'); // returns false and causes open_basedir warning 

Expected result:
----------------
all three cases should return false without warning. as the given $filename to file_exists() function is located under allowed paths.

Actual result:
--------------
the third function call results in following warning:
Warning: file_exists(): open_basedir restriction in effect.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-02-26 15:13 UTC] spam2 at rhsoft dot net

it's in general a shame that you need to use @file_exists(), @is_file() and @is_dir() tu supress warnings instead have PHP just shut up and return false if

a) it don't exist
b) the path is outside open_basdir no matter if it exists or not

b) is pretty clear because from the POV of the script it *don't exist*

[2017-02-26 15:32 UTC] requinix@php.net

-Status: Open +Status: Duplicate

[2017-02-26 15:32 UTC] requinix@php.net

Duplicate of bug #52065 and many others.
http://news.php.net/php.internals/86301

[2017-02-26 15:35 UTC] spam2 at rhsoft dot net

and what does the "and many others" tell you?

for me it tells it's a real life problem for many developers, especially when someone dvelops on a sunshine environment without open_basedir and finally on a server with open_basedir opportunitic checks like file_exists('../something'); starting to flood logs for no good reason

[2017-02-26 16:57 UTC] nk dot hesam+php at gmail dot com

I did search before submitting but couldn't find anything but #41518. sorry about that.
And yep everything was fine until I deployed my system on a plesk shared server with open_basedir in action and the issue showed up. very hard to find and debug.

[2018-01-18 20:12 UTC] charl dot xacra at gmail dot com

Guys - really now, why publish such weirdness in php7 too? - I mean sure i would've understood if it were in PHP5 (or older) - but common now - I got sh!t at work because of this "oops" --which I did not create..

-look here it's very simple: no matter if you use a full-path or a relative path, PHP's path-resolve is either broken -or dumber than a retarded cockroach.

I'm working on a highly dynamic system -which also works with symlinks. Now PHP actually remembers my previous path-check (which goes fine) and on next refresh -BAM!! - "open_basedir" -bs.

..the worst part is there is nothing I can do about it but rant...
no google search, nothing on this ... once i loved PHP ... (past tense)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 23:01:29 2024 UTC