php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #27160 open_basedir contains "." but script fails to include "./dir/file.txt"
Submitted: 2004-02-05 11:42 UTC Modified: 2004-02-09 20:08 UTC
From: bjorn dot wiberg at home dot se Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 5CVS-2004-02-06 OS: Debian GNU/Linux 3.0r2 (mixed)
Private report: No CVE-ID: None
 [2004-02-05 11:42 UTC] bjorn dot wiberg at home dot se
Description:
------------
Using PHP for a virtual host, with open_basedir set to "." (a dot).

When running a script that includes files in subdirectories relative to the script on the form "./dir/file.inc", those files fail to get included, and the error log says that those files are not withing the allowed path.

Even though the open_basedir documentation says that "." should allow files in the current directory *and subdirectories* to be included.

Setting open_basedir to include "./" fixes the problem.

(I've now started to include ".:./" in my open_basedir to be on the "safe" side...)


NOTE: This is not the same thing as bug #14396 (http://bugs.php.net/bug.php?id=14396) as I'm not using safe mode, and don't get the "wrong directory error" but instead the "is not within the allowed path(s)" error.

SIDENOTE: Bug #26310 (http://bugs.php.net/bug.php?id=26310) has a very odd comment at the end; why would "./" be almost the same thing as not setting any open_basedir restrictions at all? I would say that "/" would be the same thing as not setting it at all, but not "./"...

Reproduce code:
---------------
I'm using phpMyAdmin 2.5.5-pl1 from:
http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.5.5-pl1.tar.gz?download

...together with Apache 2.0.48-7 (apache2-mpm-worker, apache2-common, apache2-doc Debian packages) and PHP 5.0.0b3 as an Apache 2 SAPI module.

At the moment I'm not running PHP in safe mode.

I'm also more or less using the standard PHP config of php.ini-recommended, also locking some of its values with php_admin_value and php_admin_flag in main server config.

Overriding doc_root, max_execution_time, memory_limit, open_basedir and safe_mode_exec_dir (a remainder from the time when I used safe mode) for each virtual host.

Expected result:
----------------
No errors should appear in the Apache error log. The inclusion of files from the script should work.

"." as open_basedir ought to allow inclusion both of files in the same directory as the script (i.e. include "file.txt" AND "./file.txt") and subdirectories (i.e. include "directory/file.txt" -- at least if "." is also in the include_path -- AND "./directory/file.txt").

Actual result:
--------------
WITH OPEN_BASEDIR SET TO ".":

[client 81.224.231.55] PHP Fatal error:  main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/
[client 81.224.231.55] PHP Warning:  main(): open_basedir restriction in effect. File(./libraries/grab_globals.lib.php) is not within the allowed path(s): (.) in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/queryframe.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Warning:  main(./libraries/grab_globals.lib.php): failed to open stream: Operation not permitted in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/queryframe.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Fatal error:  main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/queryframe.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Warning:  main(): open_basedir restriction in effect. File(./libraries/grab_globals.lib.php) is not within the allowed path(s): (.) in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/left.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Warning:  main(./libraries/grab_globals.lib.php): failed to open stream: Operation not permitted in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/left.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Fatal error:  main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/left.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792
[client 81.224.231.55] PHP Warning:  main(): open_basedir restriction in effect. File(./libraries/grab_globals.lib.php) is not within the allowed path(s): (.) in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/main.php?lang=sv-iso-8859-1&server=1
[client 81.224.231.55] PHP Warning:  main(./libraries/grab_globals.lib.php): failed to open stream: Operation not permitted in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/main.php?lang=sv-iso-8859-1&server=1
[client 81.224.231.55] PHP Fatal error:  main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/main.php?lang=sv-iso-8859-1&server=1


WITH OPEN_BASEDIR SET TO "./":

[Thu Feb 05 17:08:00 2004] [notice] SIGUSR1 received.  Doing graceful restart
[Thu Feb 05 17:08:00 2004] [notice] Digest: generating secret for digest authentication ...
[Thu Feb 05 17:08:00 2004] [notice] Digest: done
[Thu Feb 05 17:08:00 2004] [notice] Apache configured -- resuming normal operations

(That is, no errors appear.)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-02-06 11:18 UTC] sniper@php.net
I can not reproduce this. Try with CLI.

 [2004-02-06 14:10 UTC] bjorn dot wiberg at home dot se
(The version is 2004-02-06 10:30, not 2004-02-05.)

Tried with open_basedir = "." and all error logging enabled with the CLI version. No errors.

Just to make sure that the CLI version was obeying the open_basedir directive, I tried changing it to a completely differemt directory (where the script isn't located) and then open_basedir errors were shown.

So it seems I cannot reproduce the error with the CLI version -- it only appears in the PHP SAPI version.

Any suggestions (other than including "./" in open_basedir as a work-around)?

Best regards,
Bj?rn
 [2004-02-09 19:17 UTC] iliaa@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Using "." or "./" is a really bad idea for a SAPI like 
Apache 2, since it is very likely that the current 
directory is not what you think it is. The underlying code 
for figuring out open_basedir is identical in both CLI and 
Apache 2 sapi. 
 [2004-02-09 20:08 UTC] bjorn dot wiberg at home dot se
Hi!

I once again read the safe mode sections (where open_basedir is described), but I'm afraid that doesn't explain why "." and/or "./" is a bad idea in the Apache 2 SAPI, or why the current directory isn't what I think it is. Would you please elaborate on this?

Thanks in advance!

Best regards,
Bj?rn
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Feb 27 01:01:28 2024 UTC