|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #31054 [PATCH] include_path is not traversed fully when open_basedir nonmatching
Submitted: 2004-12-10 16:14 UTC Modified: 2005-06-20 17:59 UTC
Avg. Score:4.8 ± 0.4
Reproduced:3 of 3 (100.0%)
Same Version:1 (33.3%)
Same OS:1 (33.3%)
From: kameshj at fastmail dot fm Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5CVS-2005-03-06 OS: *
Private report: No CVE-ID:
 [2004-12-10 16:14 UTC] kameshj at fastmail dot fm
include_path is not traversed fully when open_basedir have a nonmatching entries with respect to include_path entries matching from the beginning.
For example:
Even though I have "include.php" under /usr/local/lib/php/includes and /usr/local/lib/php/includes is also under open_basedir include fails because of open_basedir check.

Analysed the cause and found the cause to be 
_php_stream_fopen_with_path in 

In this function 
php_check_open_basedir is called for each include_path_entry/filename if for any of the include_path it fails further include_path is not tried at all.

Attaching the patch at

Reproduce code:
echo __FILE__;
echo "\n";
echo "\n";
echo __FILE__;
Keep this include.php in a second entry the include path for example keep this include.php in /my/inc and have include_path as "/non/existent:/my/inc"
Make sure this "/non/existent" is not present in open_basedir and run main.php.

Expected result:
main.php should include 'include.php' successfully.

Actual result:
You will get a include failure message and whole host of open_basedir failure messages.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-03-04 16:18 UTC] kameshj at fastmail dot fm
This is reproducible with both php-5.0.4-dev as well as php-5.1.0-dev.
 [2005-06-20 17:59 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Fri Nov 27 17:01:31 2015 UTC