php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #24516 subset open_basedir in .htaccess and block users from opening files
Submitted: 2003-07-06 20:08 UTC Modified: 2010-11-18 23:30 UTC
Votes:5
Avg. Score:4.8 ± 0.4
Reproduced:2 of 3 (66.7%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: mphh at bandignition dot tk Assigned: jani (profile)
Status: Closed Package: Safe Mode/open_basedir
PHP Version: Irrelevant OS: All
Private report: No CVE-ID: None
 [2003-07-06 20:08 UTC] mphh at bandignition dot tk
Description:
------------
Could someone find a way so that files (i.e., .htaccess, .httpd) could be block from opening by a user and that open_basedir can be set on a per-directory while still enforceing the open_basedir set in .httpd or php.ini.

Reproduce code:
---------------
php.ini:
open_basedir = "/usr/home/public_html/"
deny_open_files = ".htaccess,.httpd"

.htaccess (#1):
php_flag open_basedir = "/usr/home/public_html/some/dir/"

.htaccess (#2):
php_flag open_basedir = "/"

script1.php:
<?php
$fp=fopen("text.txt", "w");
fwrite($fp, "nice text");
fclose($fp);
echo "file writing done";
?>

script2.php:
<?php
$fp=fopen(".htaccess", "w");
fwrite($fp, "evil code");
fclose($fp);
echo "evil done";
?>

Expected result:
----------------
.htaccess (#1) will work while,
.htaccess (#2) will not.

and

script1.php will return:
file writing done

and script2.php will return:
Error: fopen(): You are not allowed to open that file for security resons.


Patches

php.ini (last revision 2012-01-31 02:17 UTC by webmasterick dot rl at hotmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-18 23:30 UTC] jani@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-11-18 23:30 UTC] jani@php.net
We have user ini support since 5.3.0. Also:

  http://www.php.net/manual/en/ini.core.php#ini.open-basedir

"As of PHP 5.3.0 open_basedir can be tightened at run-time. This means that if open_basedir is set to /www/ in php.ini a script can tighten the configuration to /www/tmp/ at run-time with ini_set()"
 [2010-11-18 23:30 UTC] jani@php.net
-Package: *General Issues +Package: Safe Mode/open_basedir
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 14:01:29 2024 UTC