php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15547 tempnam() bypasses security
Submitted: 2002-02-14 02:18 UTC Modified: 2005-01-31 23:13 UTC
From: temisu at utu dot fi Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 4.0.6 OS: Linux(RedHat 7.1)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: temisu at utu dot fi
New email:
PHP Version: OS:

 

 [2002-02-14 02:18 UTC] temisu at utu dot fi
tempnam() function bypasses open_basedir directive
set by php.ini

This can be seen f.e. by following code:

$tfile=tempnam("/tmp","foobar"); 
// this is a success regardless of a open_basedir setting
$fp=fopen($tfile,"w")
// file is already created but fopen() fails if 
// open_basedir is set, but not to include /tmp


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-02-15 13:08 UTC] sander@php.net
Are you sure safe-mode is enabled? 
 [2002-02-18 01:44 UTC] temisu at utu dot fi
> Are you sure safe-mode is enabled?

No it is not. open_basedir seems to be independent directive
without connection to the safe-mode (Atleast, the directory 
restrictions work on other file-operations but not tempnam)

The following is example what triggered this in my code. 

php.ini has open_basedir=/www/htdocs and safe_mode= off

The working code...

$tfile=tempnam("/www/htdocs/tmp","foobar");
// success if /www/htdocs/tmp/ exists and is writable
// directory
$fp=fopen($tfile,"w");
// opens the file.

The initial version, which does not care about the
open_basedir...

$tfile=tempnam("/tmp","foobar");
// creates the temp-file.
$fp=fopen($tfile,"w");
// tries to open the file but does not succeed because of
// the open_basedir setting!
//
// Because (any other) file operations cannot be used on /tmp
// this code clutters the /tmp directory with zerobyte
// temp-files.
 [2002-02-18 10:20 UTC] sander@php.net
AFAIK, open_basedir restrictions only _work_ when having safe_mode ON.
 [2002-02-19 01:10 UTC] temisu at utu dot fi
document

http://www.php.net/manual/en/features.safe-mode.php

says that

If instead of safe_mode, you set an open_basedir directory 
   ^^^^^^^
then all file operations will be limited to files under the specified directory For example (Apache httpd.conf example):
 [2002-02-20 15:37 UTC] rasmus@php.net
open_basedir is completely separate from safe_mode so this is actually a bug.
 [2002-07-02 02:17 UTC] derick@php.net
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.


 [2002-07-14 06:04 UTC] shane at aaatechnologiesaus dot net
open_basedir =/var/vhosts/sites:/tmp/
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Jan 26 00:01:25 2020 UTC