php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #31309 open_basedir restrictions do not work on symlinks
Submitted: 2004-12-27 12:30 UTC Modified: 2007-06-19 22:23 UTC
Votes:6
Avg. Score:4.8 ± 0.4
Reproduced:6 of 6 (100.0%)
Same Version:3 (50.0%)
Same OS:3 (50.0%)
From: frido at isp-services dot nl Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5CVS, 4CVS (2005-01-20) OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: frido at isp-services dot nl
New email:
PHP Version: OS:

 

 [2004-12-27 12:30 UTC] frido at isp-services dot nl 
Description:
------------
We currently define in our apache vhost the following doc_root:

php_admin_value open_basedir "/home/sites/site7/:/home/sites/www.sjeemz.be/:/usr/lib/php/:
/tmp:/home/sites/general"

Where site7 is a real directory and sjeemz.be is a symlink, when we use the symlink as a directory to safe to:

http://www.sjeemz.be/upload/index.php

this creates an error, while the symlink is in the open_basedir.


Reproduce code:
---------------
http://www.sjeemz.be/upload/index.phps

Expected result:
----------------
"When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink."

the symlink is not resolved to site7 in example above.


Actual result:
--------------
Warning: move_uploaded_file(): open_basedir restriction in effect. File(/home/sites/symlink/web/uploads/chenbro_aug.sxc) is not within the allowed path(s): (/home/sites/symlink/web) in /home/sites/test/web/index.php on line 16
There was an error whilst uploading the file.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-01-20 23:50 UTC] phpdotnet at sjeemz dot nl 
problem also exists in PHP 5.0.3 on RedHat 7.3
 [2005-01-20 23:54 UTC] frido at isp-services dot nl 
still the same problem, for our configuration see: http://www.sjeemz.be/upload/phpinfo.php
 [2006-06-20 13:36 UTC] frido at isp-services dot nl 
still the same problem on 4.4.2, is this still considered as a defect ?
 [2006-07-22 12:29 UTC] sniper@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip
 [2006-07-30 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2006-08-10 11:24 UTC] frido at isp-services dot nl 
Still exists in latest cvs php5.2-200608100830 / PHP Version 5.2.0RC2-dev


Warning: move_uploaded_file() [function.move-uploaded-file]: open_basedir restriction in effect. File(/home/sites/www.sjeemz.be/web/files/moz-screenshot.jpg) is not within the allowed path(s): (/home/sites/site144:/home/sites/www.sjeemz.be:/usr/lib/php:/usr/share/php:/tmp:/home/sites/general) in /home/sites/site144/web/upload/uploader.php on line 6
There was an error uploading the file, please try again!
 [2007-01-10 22:57 UTC] iliaa@php.net 
Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip
 [2007-01-18 01:00 UTC] php-bugs at lists dot php dot net 
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2007-06-19 22:18 UTC] jorn at isp-services dot nl 
Seems to be fixed in PHP 5.2.3.
 [2007-06-19 22:23 UTC] frido at isp-services dot nl 
Fixed in PHP 5.2.3
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 20:01:29 2024 UTC