PHP :: Bug #39351 :: require and include fails to open file in current directory

Bug #39351

require and include fails to open file in current directory

Submitted:

2006-11-02 22:38 UTC

Modified:

2007-04-03 20:21 UTC

Votes:	32
Avg. Score:	4.7 ± 0.6
Reproduced:	31 of 31 (100.0%)
Same Version:	28 (90.3%)
Same OS:	15 (48.4%)

From:

lampiluoto at gmail dot com

Assigned:

Status:

Closed

Package:

*Directory/Filesystem functions

PHP Version:

5.2.0

OS:

Solaris10

Private report:

CVE-ID:

None

View Developer Edit

[2006-11-02 22:38 UTC] lampiluoto at gmail dot com

Description:
------------
I upgraded to PHP 5.2.0 on Solaris 10 (amd64). Executing PHP code failed and produced errors as any require() or include() with relative path fails. With absolute path it's ok.

The same code in same environment works fine on PHP 5.1.6.

Reason might be that on Solaris getcwd() does not return current working directory unless user has read privileges from root directory to the current dir. Has something changed in 5.2.0 ?

User running httpd does not have read privileges to every directory in Apache HTTPd's DocumentRoot path - it has only execute (x) privilege to part of the directories.
 

Reproduce code:
---------------
// this fails on 5.2.0 but works fine on 5.1.6
require('config.php');

// this works also on 5.2.0 
require('/absolute/path/to/config.php');

Expected result:
----------------
File config.inc should be read successfully. This require('config.php') works fine on PHP 5.1.6 but after upgrading to 5.2.0 on same environment, it does not.

Actual result:
--------------
// with relative path
[Fri Nov 03 00:13:15 2006] [error] [client x.x.x.x] PHP Warning:  require(config.php) [<a href='function.require'>function.require</a>]: failed to open stream: No such file or directory in /path/to/index.php on line 3, referer: http://mysite/index.php

[Fri Nov 03 00:13:15 2006] [error] [client x.x.x.x] PHP Fatal error:  require() [<a href='function.require'>function.require</a>]: Failed opening required 'config.php' (include_path='.:/opt/httpd/php5/lib/php') in /path/to/index.php on line 3, referer: http://mysite/index.php

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-11-11 22:57 UTC] rasmus@php.net

Would it be possible for you to get us an strace or truss of a 5.1.6 relative include and the same for a 5.2.0 one?  I don't remember any getcwd() changes, but it sounds like there must have been one somewhere.

[2006-11-12 19:17 UTC] lampiluoto at gmail dot com

Here is part of the truss output, I can provide the whole output if needed. After failing getcwd() 5.2.0 tries to open file with wrong path.

#
# PHP-5.1.6
#

662:    stat("./inc/config.php", 0xFFFFFD7FFFDFDEE0)    = 0
662:    resolvepath("./inc/config.php", "inc/config.php", 1024) = 14
662:    getcwd(0xFFFFFD7FFFDFD160, 1024)                Err#13 EACCES [file_dac_read]
662:    stat("./inc/config.php", 0xFFFFFD7FFFDFDE00)    = 0
662:    getcwd(0xFFFFFD7FFFDFDA10, 1024)                Err#13 EACCES [file_dac_read]
662:    resolvepath("./inc/config.php", "inc/config.php", 1024) = 14
662:    getcwd(0xFFFFFD7FFFDFCCE0, 1024)                Err#13 EACCES [file_dac_read]
662:    open("./inc/config.php", O_RDONLY)              = 17
662:    fstat(17, 0x00783920)                           = 0
662:    lseek(17, 0, SEEK_CUR)                          = 0
662:    read(17, " < ? p h p\n\n     / /  ".., 8192)    = 1572
662:    read(17, 0x0077F258, 8192)                      = 0
662:    read(17, 0x0077F258, 8192)                      = 0
662:    close(17)                                       = 0
662:    time()                                          = 1163357246

#
# PHP-5.2.0
# 

17703:  stat("./inc/config.php", 0xFFFFFD7FFFDFDFB0)    = 0
17703:  resolvepath("./inc/config.php", "inc/config.php", 1024) = 14
17703:  getcwd(0xFFFFFD7FFFDFD230, 1024)                Err#13 EACCES [file_dac_read]
17703:  stat("./inc/config.php", 0xFFFFFD7FFFDFDED0)    = 0
17703:  getcwd(0xFFFFFD7FFFDFDAE0, 1024)                Err#13 EACCES [file_dac_read]
17703:  resolvepath("./inc/config.php", "inc/config.php", 1024) = 14
17703:  getcwd(0xFFFFFD7FFFDFCDE0, 1024)                Err#13 EACCES [file_dac_read]
17703:  open("/inc/config.php", O_RDONLY)               Err#2 ENOENT
17703:  open("/data/logs/httpd/error_log-php", O_WRONLY|O_APPEND|O_CREAT,0666) = 17
17703:  lseek(17, 0, SEEK_END)                          = 0
17703:  time()                                          = 1163358385
17703:  fstat(17, 0xFFFFFD7FFFDFC880)                   = 0
17703:  fstat(17, 0xFFFFFD7FFFDFC7D0)                   = 0
17703:  ioctl(17, TCGETA, 0xFFFFFD7FFFDFC840)           Err#25 ENOTTY
17703:  write(17, " [ 1 2 - N o v - 2 0 0 6".., 224)    = 224
17703:  close(17)                                       = 0

[2006-11-15 12:42 UTC] tony2001@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5.2-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5.2-win32-latest.zip

[2006-11-15 13:30 UTC] lampiluoto at gmail dot com

Here's truss output with php5.2-200611151130.

There seems to be changes for stat()'ing the 
file and though it fixes the first 
include('inc/config.php') it causes problems 
later on. 

Including func_prepare.php is with absolute path 
in PHP code and then including db_interface.php 
is with relative path. Just for testing ;)

I have --prefix=/opt/httpd/dev-installation/php5 for 
configuring PHP and it even tries to stat() files 
from there. Result is failing includes. Truss 
output differs quite a lot from 5.1.6.

#
# php5.2-200611151130
#

25255:  stat("./inc/config.php", 0xFFFFFD7FFFDFDF70)    = 0
25255:  getcwd(0xFFFFFD7FFFDFD200, 1024)                Err#13 EACCES [file_dac_read]
25255:  resolvepath("./inc/config.php", "inc/config.php", 1024) = 14
25255:  getcwd(0xFFFFFD7FFFDFC500, 1024)                Err#13 EACCES [file_dac_read]
25255:  stat("^B", 0xFFFFFD7FFFDFDE90)                  Err#2 ENOENT
25255:  stat("/opt/httpd/dev-installation/php5/lib/php/inc/config.php",0xFFFFFD7FFFDFDF70) Err#2 ENOENT
25255:  stat("/data/sites/www.mysite.example/dev-html/inc/config.php",0xFFFFFD7FFFDFDF70) = 0
25255:  resolvepath("/data/sites/www.mysite.example/dev-html/inc/config.php", "/data/sites/www.mysite.example/dev-html/inc/config.php", 1024) = 54
25255:  stat("/data/sites/www.mysite.example/dev-html/inc/config.php", 0xFFFFFD7FFFDFDE90) = 0
25255:  resolvepath("/data/sites/www.mysite.example/dev-html/inc/config.php", "/data/sites/www.mysite.example/dev-html/inc/config.php", 1024) = 54
25255:  open("/data/sites/www.mysite.example/dev-html/inc/config.php",O_RDONLY) = 17
25255:  fstat(17, 0x007BCA68)                           = 0
25255:  read(17, " < ? p h p\n\n     / /  ".., 8192)    = 1572
25255:  read(17, 0x007BCD10, 8192)                      = 0
25255:  close(17)                                       = 0
25255:  time()                                          = 1163596213
25255:  resolvepath("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", "/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", 1024) = 60
25255:  stat("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php",0xFFFFFD7FFFDFDE60) = 0
25255:  resolvepath("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", "/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", 1024) = 60
25255:  open("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php",O_RDONLY) = 17
25255:  fstat(17, 0x007BCA68)                           = 0
25255:  read(17, " < ? p h p\n\n     / /\n".., 8192)    = 1171
25255:  read(17, 0x007C1000, 8192)                      = 0
25255:  close(17)                                       = 0
25255:  stat("./inc/db_interface.php", 0xFFFFFD7FFFDFD0C0) = 0
25255:  getcwd(0xFFFFFD7FFFDFC350, 1024)                Err#13 EACCES [file_dac_read]
25255:  resolvepath("./inc/db_interface.php", "inc/db_interface.php", 1024) = 20
25255:  getcwd(0xFFFFFD7FFFDFB650, 1024)                Err#13 EACCES [file_dac_read]
25255:  stat("^C", 0xFFFFFD7FFFDFCFE0)                  Err#2 ENOENT
25255:  stat("/opt/httpd/dev-installation/php5/lib/php/inc/db_interface.php", 0xFFFFFD7FFFDFD0C0) Err#2 ENOENT
25255:  stat("/data/sites/www.mysite.example/dev-html/inc/inc/db_interface.php", 0xFFFFFD7FFFDFD0C0) Err#2 ENOENT
25255:  open("/data/logs/httpd/error_log-php", O_WRONLY|O_APPEND|O_CREAT,0666) = 17
25255:  lseek(17, 0, SEEK_END)                          = 9904
25255:  time()                                          = 1163596213
25255:  fstat(17, 0xFFFFFD7FFFDFB990)                   = 0
25255:  fstat(17, 0xFFFFFD7FFFDFB8E0)                   = 0
25255:  ioctl(17, TCGETA, 0xFFFFFD7FFFDFB950)           Err#25 ENOTTY
25255:  write(17, " [ 1 5 - N o v - 2 0 0 6".., 241)    = 241
25255:  close(17)                                       = 0
25255:  open("/data/logs/httpd/error_log-php", O_WRONLY|O_APPEND|O_CREAT,0666) = 17

[2006-12-05 23:06 UTC] php dot net at ryanfindley dot com

I'm experiencing the same problem on OS X 10.4 PPC 64bit(G5), but not on OS X 10.4 Intel 32bit.

If I revert my PHP install to 5.1.4, the problem goes away but using 5.2.0 all of my include() and require() statements that use a relative path fail, and getcwd() returns ''

[2006-12-05 23:30 UTC] php dot net at ryanfindley dot com

I forgot to mention that I tried the snapshot listed in the comment from 15 Nov 12:42pm UTC (PHP 5.2.1-dev), and experienced the same problem

[2007-02-08 14:03 UTC] webtech at get-telecom dot fr

What's up about this bug ?

[2007-02-09 16:54 UTC] lampiluoto at gmail dot com

Hello,

This bug seem to exist also in PHP 5.2.1, it
is behaving similarly to the 5.2.0 snapshot I 
tested. This is same PHP code I tested earlier.

I remind that this is situation where httpd user
doesn't have read privilege to every directory 
level in path. It has only execute/access (x) 
to some of the directories.

#
# 5.1.6 truss output
#
24204:  stat("./inc/config.php", 0xFFFFFD7FFFDFE470)    = 0
24204:  resolvepath("./inc/config.php", "inc/config.php", 1024) = 14
24204:  getcwd(0xFFFFFD7FFFDFD6F0, 1024)                Err#13 EACCES [file_dac_read]
24204:  stat("./inc/config.php", 0xFFFFFD7FFFDFE390)    = 0
24204:  getcwd(0xFFFFFD7FFFDFDFA0, 1024)                Err#13 EACCES [file_dac_read]
24204:  resolvepath("./inc/config.php", "inc/config.php", 1024) = 14
24204:  getcwd(0xFFFFFD7FFFDFD270, 1024)                Err#13 EACCES [file_dac_read]
24204:  open("./inc/config.php", O_RDONLY)              = 34
24204:  fstat(34, 0x007E4F90)                           = 0
24204:  lseek(34, 0, SEEK_CUR)                          = 0
24204:  read(34, " < ? p h p\n\n     / /  ".., 8192)    = 1572
24204:  read(34, 0x007E27F8, 8192)                      = 0
24204:  read(34, 0x007E27F8, 8192)                      = 0
24204:  close(34)                                       = 0
24204:  time()                                          = 1171039558
24204:  resolvepath("/data/sites/www.lampiluoto.net/dev-html/inc/func_prepare.php", "/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", 1024) = 60
24204:  stat("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", 0xFFFFFD7FFFDFE360) = 0
24204:  resolvepath("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", "/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", 1024) = 60
24204:  open("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", O_RDONLY) = 34
24204:  fstat(34, 0x007E5F10)                           = 0
24204:  lseek(34, 0, SEEK_CUR)                          = 0
24204:  read(34, " < ? p h p\n\n     / /\n".., 8192)    = 1171
24204:  read(34, 0x007E6C28, 8192)                      = 0
24204:  read(34, 0x007E6C28, 8192)                      = 0
24204:  brk(0x007E8F20)                                 = 0
24204:  brk(0x007ECF20)                                 = 0
24204:  brk(0x007ECF20)                                 = 0
24204:  brk(0x007ECF20)                                 = 0
24204:  brk(0x007F0F20)                                 = 0
24204:  close(34)                                       = 0
24204:  stat("./inc/db_interface.php", 0xFFFFFD7FFFDFD9C0) = 0
24204:  resolvepath("./inc/db_interface.php", "inc/db_interface.php", 1024) = 20
24204:  getcwd(0xFFFFFD7FFFDFCC40, 1024)                Err#13 EACCES [file_dac_read]
24204:  stat("./inc/db_interface.php", 0xFFFFFD7FFFDFD8E0) = 0
24204:  getcwd(0xFFFFFD7FFFDFD4F0, 1024)                Err#13 EACCES [file_dac_read]
24204:  resolvepath("./inc/db_interface.php", "inc/db_interface.php", 1024) = 20
24204:  getcwd(0xFFFFFD7FFFDFC7C0, 1024)                Err#13 EACCES [file_dac_read]
24204:  open("./inc/db_interface.php", O_RDONLY)        = 34
24204:  fstat(34, 0x007E2E30)                           = 0
24204:  lseek(34, 0, SEEK_CUR)                          = 0
24204:  read(34, " < ? p h p\n\n / /\n / /".., 8192)    = 502
24204:  read(34, 0x007E6C28, 8192)                      = 0
24204:  read(34, 0x007E6C28, 8192)                      = 0
24204:  close(34)                                       = 0


#
# 5.2.1 truss output
#
23485:  stat("./inc/config.php", 0xFFFFFD7FFFDFE0D0)    = 0
23485:  getcwd(0xFFFFFD7FFFDFD360, 1024)                Err#13 EACCES [file_dac_read]
23485:  resolvepath("./inc/config.php", "inc/config.php", 1024) = 14
23485:  getcwd(0xFFFFFD7FFFDFC660, 1024)                Err#13 EACCES [file_dac_read]
23485:  stat("/inc/config.php", 0xFFFFFD7FFFDFDFF0)     Err#2 ENOENT
23485:  stat("/opt/httpd/dev-installation/php5/lib/php/inc/config.php", 0xFFFFFD7FFFDFE0D0) Err#2 ENOENT
23485:  stat("/data/sites/www.mysite.example/dev-html/inc/config.php", 0xFFFFFD7FFFDFE0D0) = 0
23485:  resolvepath("/data/sites/www.mysite.example/dev-html/inc/config.php", "/data/sites/www.mysite.example/dev-html/inc/config.php", 1024) = 54
23485:  stat("/data/sites/www.mysite.example/dev-html/inc/config.php", 0xFFFFFD7FFFDFDFF0) = 0
23485:  resolvepath("/data/sites/www.mysite.example/dev-html/inc/config.php", "/data/sites/www.mysite.example/dev-html/inc/config.php", 1024) = 54
23485:  open("/data/sites/www.mysite.example/dev-html/inc/config.php", O_RDONLY) = 17
23485:  fstat(17, 0x005D0778)                           = 0
23485:  read(17, " < ? p h p\n\n     / /  ".., 8192)    = 1572
23485:  read(17, 0x005D0A20, 8192)                      = 0
23485:  close(17)                                       = 0
23485:  time()                                          = 1171038559
23485:  resolvepath("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", "/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", 1024) = 60
23485:  stat("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", 0xFFFFFD7FFFDFDFC0) = 0
23485:  resolvepath("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", "/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", 1024) = 60
23485:  open("/data/sites/www.mysite.example/dev-html/inc/func_prepare.php", O_RDONLY) = 17
23485:  fstat(17, 0x005D0778)                           = 0
23485:  read(17, " < ? p h p\n\n     / /\n".., 8192)    = 1171
23485:  read(17, 0x005D4D10, 8192)                      = 0
23485:  close(17)                                       = 0
23485:  stat("./inc/db_interface.php", 0xFFFFFD7FFFDFD220) = 0
23485:  getcwd(0xFFFFFD7FFFDFC4B0, 1024)                Err#13 EACCES [file_dac_read]
23485:  resolvepath("./inc/db_interface.php", "inc/db_interface.php", 1024) = 20
23485:  getcwd(0xFFFFFD7FFFDFB7B0, 1024)                Err#13 EACCES [file_dac_read]
23485:  stat("/inc/db_interface.php", 0xFFFFFD7FFFDFD140) Err#2 ENOENT
23485:  stat("/opt/httpd/dev-installation/php5/lib/php/inc/db_interface.php", 0xFFFFFD7FFFDFD220) Err#2 ENOENT
23485:  stat("/data/sites/www.mysite.example/dev-html/inc/inc/db_interface.php", 0xFFFFFD7FFFDFD220) Err#2 ENOENT
23485:  open("/data/logs/httpd/error_log-php", O_WRONLY|O_APPEND|O_CREAT, 0666) = 17
23485:  lseek(17, 0, SEEK_END)                          = 14856
23485:  time()                                          = 1171038559
23485:  fstat(17, 0xFFFFFD7FFFDFBAE0)                   = 0
23485:  brk(0x007D0C60)                                 = 0
23485:  brk(0x007D4C60)                                 = 0
23485:  fstat(17, 0xFFFFFD7FFFDFBA30)                   = 0
23485:  ioctl(17, TCGETA, 0xFFFFFD7FFFDFBAA0)           Err#25 ENOTTY
23485:  write(17, " [ 0 9 - F e b - 2 0 0 7".., 241)    = 241
23485:  close(17)                                       = 0
23485:  open("/data/logs/httpd/error_log-php", O_WRONLY|O_APPEND|O_CREAT, 0666) = 17

[2007-02-23 10:28 UTC] webtech at get-telecom dot fr

Is there a solution for this bug ?
We're using PHP 5.1.6 and can't upgrade...

[2007-02-27 20:27 UTC] mcmullent at gmail dot com

Is there any chance you need to add:

allow_url_include = On

to your php.ini? My php.ini file (from a previous PHP5 release) did not have allow_url_include, and when I tried to upgrade from 5.1.6 to 5.2.x, I was getting similar errors. When I set allow_url_include, I was able to upgrade to 5.2.1 without any issues.

[2007-03-07 01:57 UTC] mail at unleadedonline dot net

Anybody looking to fix this bug?

We have the same setup as the original bug submitter, and can't upgrade from 5.1.6 to 5.2.1 because of this issue!

It's a showstopper.

[2007-03-07 07:38 UTC] tony2001@php.net

>Anybody looking to fix this bug?
No, we're unable to replicate it.
If you have a Solaris10 handy - please provide an account with PHP, GDB, GCC and other utils required to reproduce and invesigate it.

[2007-03-10 13:22 UTC] lampiluoto at gmail dot com

Hi,

I emailed with Tony about providing
Sol10 environment for reproducing the 
problem and debugging it.

--
 Tero

[2007-03-12 15:00 UTC] webtech at get-telecom dot fr

I've tried with "allow_url_include = On", 
but with PHP 5.2.1, I've the same include problem.

[2007-03-28 16:45 UTC] koper at koper dot biz

I've experienced the same bug on Solaris 10 with PHP 5.2.1 and Apache 2.2.4. The solution (at least temporary) is to allow webservd (apache uid/gid) +rx on every directory leading to DocumentRoot.

[2007-04-02 15:33 UTC] nospam at dede dot fr

It's been five month that the bug is open...

Is there a chance that it'll be resolved in PHP 5.2.2 ?

The bug exits too when including (include or require function) by using .. : for example : include("../test.php");

[2007-04-03 20:21 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Oct 27 04:00:02 2025 UTC