php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #21565 include/require fail under safe-mode.
Submitted: 2003-01-10 03:35 UTC Modified: 2003-06-05 09:00 UTC
Votes:13
Avg. Score:4.6 ± 0.6
Reproduced:13 of 13 (100.0%)
Same Version:9 (69.2%)
Same OS:0 (0.0%)
From: komanek at natur dot cuni dot cz Assigned:
Status: Closed Package: Scripting Engine problem
PHP Version: 4.3.2 OS: Tru64Unix 5.1A
Private report: No CVE-ID: None
 [2003-01-10 03:35 UTC] komanek at natur dot cuni dot cz
After upgrade from PHP 4.2.2 to 4.3.0 I encountered the problem with safe_mode in conjunction with require().

Example:

[php.ini]
safe_mode = On;
include_path = ".:./:/path/to/my/app/dir";
safe_mode_include_dir = ".:./:/path/to/my/app/dir";

[/path/to/my/app/dir/index_working.php] - works fine for me
<?php
include "header.php";
?>

[/path/to/my/app/dir/index_buggy.php] - throws error
<?php
require "header.php";
?>


The error:

[error] PHP Fatal error:  main() [<a href='http://www.php.net/function.main'>function.main</a>]: Failed opening required 'header.php' (include_path='.:./:/path/to/my/app/dir') in /path/to/my/app/dir/index_buggy.php on line 2



Operating system: Tru64Unix 5.1a
Webserver: Apache 1.3.26

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-01-10 16:56 UTC] iliaa@php.net
It is likely that your error reporting level is such that warning messages do not get shown. Unlike require which fails with an error include will only output a warning on failure.
Beyond that there is very little difference between the require/include code none of which is the code reponsible for actually openning files.
 [2003-01-13 04:09 UTC] komanek at natur dot cuni dot cz
Well, you are right with the difference fatal error vs. warning. After I turned the warning messages on I can see the difference. So, the problem should be re-classified as a problem of both include and require. 

Still, with safe_mode on, it does not work, with safe_mode off, it works fine.
 [2003-01-13 17:37 UTC] sniper@php.net
updated the summary line.

 [2003-01-13 17:45 UTC] iliaa@php.net
Do you get any other warning/error messages, something about UID of the script not matching that of the file?
 [2003-01-14 00:12 UTC] komanek at natur dot cuni dot cz
I turned all errors and warnings reporting to have maximum info. Here is a real example from my web, with real paths in filesystem. Both "include" and "require" are used to demonstrate the difference, previously, I used only "require". Strange is that in php 4.2.2 it worked fine for me. The only difference is the upgraded php dynamic module for Apache. It is not the problem of non-existing files or paths because with safe_mode = Off the included and required files are found and opened with no errors.

<?php
include "header.php";?>
<center>
<p>
<b>
<a href="free_catalogue.php">The Catalogue</a>
</b>
</p>
</center>
<?php
require "footer.php";?>
</body>
</html>


The output of this is:

Warning: main() [function.main]: Unable to access ./header.php in /usr/users/dbminer/public_html/index.php on line 2

Warning: main(header.php) [function.main]: failed to create stream: No such file or directory in /usr/users/dbminer/public_html/index.php on line 2

Warning: main() [function.main]: Failed opening 'header.php' for inclusion (include_path='.:./:/usr/users/komanek/public_html/TEST/phpclasses:/usr/local/lib/php:/usr/local/www/apache/htdocs/MINER:/usr/users/dbminer/public_html:/usr/users/popin/html2/statistics/i') in /usr/users/dbminer/public_html/index.php on line 2

The Catalogue

Warning: main() [function.main]: Unable to access ./footer.php in /usr/users/dbminer/public_html/index.php on line 11

Warning: main(footer.php) [function.main]: failed to create stream: No such file or directory in /usr/users/dbminer/public_html/index.php on line 11

Fatal error: main() [function.main]: Failed opening required 'footer.php' (include_path='.:./:/usr/users/komanek/public_html/TEST/phpclasses:/usr/local/lib/php:/usr/local/www/apache/htdocs/MINER:/usr/users/dbminer/public_html:/usr/users/popin/html2/statistics/i') in /usr/users/dbminer/public_html/index.php on line 11



From filesystem:

lib[0]:/usr/users/dbminer/public_html(07:04)# ls -al index.php header.php footer.php
-rw-r--r--   1 dbminer  users        174 Oct 30  2000 footer.php
-rw-r--r--   1 dbminer  users       1047 Nov  7  2001 header.php
-rw-r--r--   1 dbminer  users        161 Jan 13 12:08 index.php

Configure switches:

--with-apache=/scratch/sources/apache_1.3.26 --with-openssl --with-zlib=/usr/local --with-zlib-dir=/usr/local --with-bz2=/usr/local --with-db --enable-dbase --with-gd --with-dom --enable-ftp --enable-gd-native-ttf --with-freetype-dir=/usr/local/freetype2 --with-iconv --with-mysql --enable-trans-sid --with-jpeg-dir=/usr/local/lib --with-png-dir=/usr/local/lib --enable-sockets --enable-discard-path --enable-safe-mode --enable-bcmatch --enable-calendar --enable-ctype --enable-mailparse --enable-force-cgi-redirect --enable-memory-limit --with-expat-dir=/usr/local --with-xml --with-gettext --with-mcrypt --with-imap=/scratch/sources/imap/imap-2002.RC2 --with-imap-ssl=/scratch/sources/imap/imap-2002.RC2 --disable-cgi
 [2003-01-30 06:45 UTC] Emil at Wayers dot com
I found the excact same problem.

Fatal error: main() [function.main]: Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /opt/www/conf/phpMyAdmin/index.php on line 9

Safe_mode is on here; I traced the problem to a require/include function problem (duh)

You will have to specify the exact path to the file in safemode, even if you have the path in your include_path.

If the file has no path given in the require or the include PHP 4.3.0 gives these kind of errors. But older version accept it.

Note; even ../../ and ./ do not work. The latest phpMyAdmin will not work on PHP 4.3.0 with safemode on.
 [2003-01-30 06:49 UTC] Emil at Wayers dot com
My Solaris 8 and Solaris 7 both have this problem with Apache 1.3.27 and MySQL-max-3.23.54a-sun-solaris2.8 + MySQL-max-3.23.54a-sun-solaris2.7 under PHP 4.3.0
 [2003-02-11 08:28 UTC] s dot birkhoff at liwest dot at
I have the same Problem under Windows 2000/XP/IIS and
PHP Version 4.3.0

In Version 4.2.3 it all works fine.
 [2003-04-02 08:09 UTC] jot at agonize dot org
Same issue under Apache 1.3.27 and PHP 4.3.1. Includes dont seem to work at all unless the absolute path is used.. even with safe_mode set to off.
 [2003-04-28 09:57 UTC] komanek at natur dot cuni dot cz
Still the same problem under 

Server Version: Apache/1.3.27 (Unix) PHP/4.3.2-RC1 mod_ssl/2.8.14 OpenSSL/0.9.7b
 [2003-04-28 09:58 UTC] komanek at natur dot cuni dot cz
still the same problem as in 4.3.0
 [2003-05-10 18:03 UTC] mad4chip at tiscalinet dot it
It appear that also under Windows2000 there is the same problem and doesn't matter which is safe_mode setting.
PHP Version 4.3.0 Windows NT localhost 5.0 build 2195 IIS Webserver from the with Windows2000 professional pakage
 [2003-05-11 23:58 UTC] komanek at natur dot cuni dot cz
Well, does anybody from PHP developers monitor this thread ? Are there some plans to fix ?

Thanks,

  David Komanek
 [2003-06-05 09:00 UTC] komanek at natur dot cuni dot cz
Today I updated from 4.3.2RC1 to real 4.3.2 and tested the problem again. It did not vanished. But I was disapointed by not seeing any official response to this bug, so I started again to find my own mistake. And voil? - I found it:

I have multiple paths defined in include_dir and safe_mode_include_dir variables in php.ini. In far older versions it worked fine with semicolons as separators. As of PHP 4.3.0 this works not for me anymore. Now I had the idea to try colons instead. I didn't find any hint neither in the changelogs nor in the documentation abou this change, but I hope this is somewhere to find.

After the substitution ';' -> ':' everything works fine again. Six months' issue :-)

Regards,

  David
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Oct 24 03:01:24 2020 UTC