|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39073 safe_mode_include_dir not honored
Submitted: 2006-10-07 08:09 UTC Modified: 2006-10-08 00:12 UTC
From: jim at centerfuse dot net Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.1.6 OS: FreeBSD 4.11
Private report: No CVE-ID: None
 [2006-10-07 08:09 UTC] jim at centerfuse dot net
Just upgraded to php 5.1.6, and safe_mode_include_dir doesn't appear to be honored. I'm running with safe mode = On and one directory in the include_dir. Trying to include/fopen/etc any file from that directory results in a safemode UID restriction. phpinfo() shows that PHP is reading the correct configuration file and that it knows about safe_mode_include_dir. 

Reproduce code:
//in php.ini: safe_mode_include_dir = "/usr/local/share/FUSE")

$fp = fopen('/usr/local/share/FUSE/FUSE-main.php', 'r')

Expected result:
fopen should return file pointer

Actual result:
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 1006 is not allowed to access /usr/local/share/FUSE/FUSE-main.php owned by uid 0 in /home/context/public_html/test.php on line 13


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-10-07 08:10 UTC] jim at centerfuse dot net
note, the trailing parentheses that appears in my reproduce code after the safe_mode_include_dir is *not* present in php.ini, it was a typo.
 [2006-10-07 09:19 UTC] jim at centerfuse dot net
get_cfg_var() and ini_get() both return the correct safe_mode_include_dir, but it seems to just be ignored. Just for good measure, I also tried using a different directory altogether, but got the same results.
 [2006-10-07 19:19 UTC] jim at centerfuse dot net
This bug does not seem to affect require_once(), require(), or include(), which are still able to access the file from a different UID (as long as safe_mode_include_dir is set as it should be). However, other file operations such as file_exists and fopen fail. In the example below, note that the include() succeeds because the output does say "this is the test file"

// safe_mode_include_dir is /home/php_include_test
// the file /home/php_include_test/test 
// simply says "this is the test file<br />"

$test_file = '/home/php_include_test/test';


if ( file_exists($test_file) ) {
        echo 'Test file exists.<br />';
else {
        echo 'Test file does not exist<br />';

if ( is_readable($test_file) ) {
        echo 'Test file is readable.<br />';
else {
        echo 'Test file not readable<br />';

if ( $fp = fopen($test_file, 'r') ) {
        echo 'Test file opened for read.<br />';
else {
        echo 'Test file could not be opened for read<br />';

this is the test file
Test file does not exist
Test file not readable

Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The script whose uid is 1010 is not allowed to access /home/php_include_test/test owned by uid 0 in /home/www/jim/public_html/jimtest.php on line 21

Warning: fopen(/home/php_include_test/test) [function.fopen]: failed to open stream: Inappropriate ioctl for device in /home/www/jim/public_html/jimtest.php on line 21
Test file could not be opened for read
 [2006-10-07 20:31 UTC]
The ini directive is called safe_mode_*INCLUDE*_dir.
Please read what it's used for:
 [2006-10-08 00:12 UTC] jim at centerfuse dot net
file_exists() had previously worked for me in safe mode, most likely because I was using PHP 5.1.4, which was subject to bug #37987 (invalid return of file_exists() in safe mode). My apologies for the bogus bug, but you can understand my confusion.
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Aug 21 12:01:26 2019 UTC