PHP :: Bug #76836 :: misleading error message if open_basedir points to inaccessable target

Bug #76836	misleading error message if open_basedir points to inaccessable target
Submitted:	2018-09-02 14:00 UTC	Modified:	2018-09-02 20:55 UTC
From:	bugs dot php dot net at register dot conactive dot com	Assigned:
Status:	Duplicate	Package:	Safe Mode/open_basedir
PHP Version:	7.2.9	OS:	Ubuntu 16.04
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	bugs dot php dot net at register dot conactive dot com
New email:
PHP Version:		OS:

New Comment:

[2018-09-02 14:00 UTC] bugs dot php dot net at register dot conactive dot com

Description:
------------
This is NOT a security bug! It's only a very misleading error message.

Example:

open_basedir is set to /var/vmail/ (among other directories)
/var/vmail is drwxrwx--- 9 vmail vmail 4096 Sep 2 15:13 .
user.group for fpm pool is www-data.www-data
So, user/group www-data does not have access to it.

Trying to mkdir or write (file_put_contents) within that directory fails with message about open_basedir restriction (see below). However, this message is not correct. It fails because of insufficient permissions. It does NOT fail because of the open_basedir restriction!

If I change permissions to
/var/vmail is drwxrwx--x 9 vmail vmail 4096 Sep 2 15:13 .
the misleading error message goes away and the file operation succeeds (if permissions in the target area below are correct).

Related to https://bugs.php.net/bug.php?id=69240, I suppose.

Expected result:
----------------
There should be an error message about missing permissions. There should be NO warning about open_basedir at all in this case, as it's wrong: the file is clearly within the allowed paths.
It would fail to enter that directory without open_basedir set as well!
It probably fails to find the dir because it's inaccessible to the pool. I think in this case it should emit a warning "directory does not exist" or something to that effect. But saying that x is not x in an error message is confusing.

Actual result:
--------------
I get a warning on all kinds of file operations (tried is_dir, mkdir, file_put_contents) that includes this text:

PHP Warning: is_dir(): open_basedir restriction in effect. File(/var/vmail/sieve/whatever/whatever/whatever) is not within the allowed path(s): (...:/var/vmail/sieve/:...) in ....

file_put_contents adds a second message "failed to open stream: Operation not permitted" which might be fine, but the first warning is still wrong. The ...dir operations get only the open_basedir warning.

Patches

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-09-02 14:11 UTC] spam2 at rhsoft dot net

YES error mesaages like "'b' is not within the allowed path 'b'" should really go away and indicate some sloppy code - in case of a not accsessable path othe whole extstence of open_basedir shouldn't be relevant and a clear error before all the checks stop execution

[2018-09-02 20:55 UTC] requinix@php.net

-Status: Open +Status: Duplicate

[2018-09-02 20:55 UTC] requinix@php.net

Duplicate of bug #52065 and others.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Sep 07 23:01:27 2024 UTC