php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76836 misleading error message if open_basedir points to inaccessable target
Submitted: 2018-09-02 14:00 UTC Modified: 2018-09-02 20:55 UTC
From: bugs dot php dot net at register dot conactive dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 7.2.9 OS: Ubuntu 16.04
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: bugs dot php dot net at register dot conactive dot com
New email:
PHP Version: OS:

 

 [2018-09-02 14:00 UTC] bugs dot php dot net at register dot conactive dot com
Description:
------------
This is NOT a security bug! It's only a very misleading error message.

Example:

open_basedir is set to /var/vmail/ (among other directories)
/var/vmail is drwxrwx---  9 vmail    vmail    4096 Sep  2 15:13 .
user.group for fpm pool is www-data.www-data
So, user/group www-data does not have access to it.

Trying to mkdir or write (file_put_contents) within that directory fails with message about open_basedir restriction (see below). However, this message is not correct. It fails because of insufficient permissions. It does NOT fail because of the open_basedir restriction!

If I change permissions to
/var/vmail is drwxrwx--x  9 vmail    vmail    4096 Sep  2 15:13 .
the misleading error message goes away and the file operation succeeds (if permissions in the target area below are correct).

Related to https://bugs.php.net/bug.php?id=69240, I suppose.

Expected result:
----------------
There should be an error message about missing permissions. There should be NO warning about open_basedir at all in this case, as it's wrong: the file is clearly within the allowed paths.
It would fail to enter that directory without open_basedir set as well!
It probably fails to find the dir because it's inaccessible to the pool. I think in this case it should emit a warning "directory does not exist" or something to that effect. But saying that x is not x in an error message is confusing.


Actual result:
--------------
I get a warning on all kinds of file operations (tried is_dir, mkdir, file_put_contents) that includes this text:

PHP Warning:  is_dir(): open_basedir restriction in effect. File(/var/vmail/sieve/whatever/whatever/whatever) is not within the allowed path(s): (...:/var/vmail/sieve/:...) in ....

file_put_contents adds a second message "failed to open stream: Operation not permitted" which might be fine, but the first warning is still wrong. The ...dir operations get only the open_basedir warning.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-09-02 14:11 UTC] spam2 at rhsoft dot net
YES error mesaages like "'b' is not within the allowed path 'b'" should really go away and indicate some sloppy code - in case of a not accsessable path othe whole extstence of open_basedir shouldn't be relevant and a clear error before all the checks stop execution
 [2018-09-02 20:55 UTC] requinix@php.net
-Status: Open +Status: Duplicate
 [2018-09-02 20:55 UTC] requinix@php.net
Duplicate of bug #52065 and others.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 23:01:29 2024 UTC