php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79851 open_basedir no longer restricts access to http://
Submitted: 2020-07-13 12:38 UTC Modified: 2020-07-13 13:28 UTC
From: sjon@php.net Assigned: cmb (profile)
Status: Closed Package: Filesystem function related
PHP Version: 8.0.0alpha2 OS: archLinux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sjon@php.net
New email:
PHP Version: OS:

 

 [2020-07-13 12:38 UTC] sjon@php.net
Description:
------------
Previously open_basedir would prevent file-functions from accessing protocols such as http. It no longer does, and this change doesn't appear to be documented anywhere. This might simply need an entry in upgrading as is correct according to https://www.php.net/manual/en/function.fopen.php

originally found as https://3v4l.org/oLWdo

Test script:
---------------
$file = 'http://www.phpcodepad.com/index.php';
$newfile = 'example.txt';

copy($file, $newfile);

Expected result:
----------------
Warning: copy(): open_basedir restriction in effect. File(http://www.phpcodepad.com/index.php) is not within the allowed path(s): (/tmp:/in:/etc) in /in/oLWdo on line 5

Actual result:
--------------
Warning: copy(): php_network_getaddresses: getaddrinfo failed: Temporary failure in name resolution in /in/oLWdo on line 5

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-13 12:59 UTC] nikic@php.net
-Assigned To: +Assigned To: cmb
 [2020-07-13 12:59 UTC] nikic@php.net
This one probably isn't PHP 8 specific, just not rolled out on earlier branches yet. It's presumably introduced by https://github.com/php/php-src/pull/5237.

@cmb: The new behavior is correct, right?
 [2020-07-13 13:17 UTC] cmb@php.net
-Status: Assigned +Status: Feedback
 [2020-07-13 13:17 UTC] cmb@php.net
> The new behavior is correct, right?

In my opinion, yes.  Why should open_basedir affect HTTP URLs?

I don't even think this needs a special note (UPGRADING or such).
It's just a bug fix, isn't it?
 [2020-07-13 13:21 UTC] nikic@php.net
Yeah, seeing how this just matches the behavior with other functions like fopen(), I don't think special action is needed.
 [2020-07-13 13:28 UTC] sjon@php.net
-Status: Feedback +Status: Closed
 [2020-07-13 13:28 UTC] sjon@php.net
I agree, but I think some people will be bitten by this anyway which is why it might deserve a line in UPGRADING
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 16:01:28 2024 UTC