php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #20314 Varying open_basedir handling
Submitted: 2002-11-08 11:07 UTC Modified: 2005-01-31 22:40 UTC
From: mfleisch at lynet dot de Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4.2.3 OS: Solaris 7
Private report: No CVE-ID: None
 [2002-11-08 11:07 UTC] mfleisch at lynet dot de
Some basic data in advance:
All our servers run PHP 4.2.3 / Apache 1.3.27 / Solaris 7

Despite the fact that since 4.2.3 (at least that's when we discovered it) an empty open_basedir (according to the manual access should not be restricted at all that way) will randomly (maybe 5% of all requests) lead to "open_basedir restriction in effect in line 0" meaning that the script itself failed to open we discovered another strange effect of open_basedir:

There are 2 virtual hosts: 1 parsing .php and 1 parsing .html for php-code.
Both their open_basedir is set to the corresponding webserver-root plus the additional directories "/tmp" and "/var/tmp".
On the first one (parsing .html) include("./test.txt") or even include("test.txt") will not work (open_basedir restriction) unless we add e.g. "te" to the open_basedir (adding "." does not work). In contrast absolute paths do work fine.
On the second server all sorts of includes (from current directory, from parent directory, from root) work as supposed and will not fail unless they try to bypass the open_basedir.

As far as we've looked the issue up the only real difference between the 2 virtual hosts is that one parses for .html and has it's own user running the server and the other is parsing for .php and is using the standard-user (www).

Thanks in advance for any help or hints...


Matthias Fleischer


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-11-08 12:03 UTC] sniper@php.net
Please do not submit the same bug more than once. An existing
bug report already describes this very problem. Even if you feel
that your issue is somewhat different, the resolution is likely
to be the same. Because of this, we hope you add your comments
to the original bug instead.

Thank you for your interest in PHP.
 [2004-06-29 21:59 UTC] ryan at sinn dot org
ok, so where do I find a the original bug?  Please be more descriptive when closing bogus bugs.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Wed Sep 26 07:01:25 2018 UTC