php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42560 Empty directory argument to tempnam yields open_basedir problems
Submitted: 2007-09-05 11:59 UTC Modified: 2009-08-26 05:45 UTC
Votes:13
Avg. Score:4.6 ± 0.6
Reproduced:11 of 11 (100.0%)
Same Version:7 (63.6%)
Same OS:3 (27.3%)
From: Bjorn dot Wiberg at its dot uu dot se Assigned:
Status: Open Package: Safe Mode/open_basedir
PHP Version: 5.2.9 OS: IBM AIX 5.3 5300-08-01-0819
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: Bjorn dot Wiberg at its dot uu dot se
New email:
PHP Version: OS:

 

 [2007-09-05 11:59 UTC] Bjorn dot Wiberg at its dot uu dot se
Description:
------------
If open_basedir is used -- even if it includes /tmp among its directories -- calling tempnam() with an empty string as the first (directory) argument does not make PHP fall back to "the system default" as http://se.php.net/manual/en/function.tempnam.php specifies.

Reproduce code:
---------------
// open_basedir: .:/apache/php/lib:/tmp:/usr/local/bin:/usr/local/etc/Counter/data:/apache/htdocs/webdev-its

tempnam('', 'test');


Expected result:
----------------
No errors, temporary file gets created in /tmp or whatever the fallback is.

Actual result:
--------------
From the Apache error log:

Warning: tempnam(): open_basedir restriction in effect. File() is not within the allowed path(s): (.:/apache/php/lib:/tmp:/usr/local/bin:/usr/local/etc/Counter/data:/apache/htdocs/webdev-its) in /apache/htdocs/webdev-its/limesurvey/admin/classes/pear/OLE/PPS/File.php on line 87


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-09-18 08:08 UTC] mb at smartftp dot com
Same problem on Windows 2003 with Apache.
 [2007-11-10 21:44 UTC] mb at smartftp dot com
Bug still present in version 5.2.5.

It's very frustrating to see how the PHP team constantly ignores bug reports.
 [2007-12-07 14:11 UTC] gerome dot fournier at infomaniak dot ch
Same issue with PHP 5.2.5.

Any feedbacks from the PHP team concerning this issue would be greatly
appreciated.
 [2008-04-15 15:10 UTC] gentoo at oliwel dot de
Still broken in 5.2.6 on Linux 32bit - crashes OLE Libs from PEAR used by Excel Spredsheet Writer.
 [2008-09-03 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-05-26 18:55 UTC] pub at perseguers dot ch
I confirm this bug on 5.2.6 on Debian Lenny
 [2009-08-25 19:16 UTC] rick dot g777 at gmail dot com
Still present in PHP 5.2.9
 [2009-08-26 05:36 UTC] Bjorn dot Wiberg at its dot uu dot se
I also verified this, the problem is still present in PHP 5.2.9:

Warning: tempnam(): open_basedir restriction in effect. File() is not within the allowed path(s): (.:/apache/php/lib/php:/opt/freeware/bin:/tmp:/usr/local/bin:/usr/local/etc/Counter/data:/apache/htdocs/bwiberg) in /apache/htdocs/bwiberg/test/tempnam.php on line 2 

(and no /tmp/test file present)
 [2009-08-26 05:45 UTC] Bjorn dot Wiberg at its dot uu dot se
(Don't know about 5.2.10; bug #48276 hinders us from installing that one on our systems, so personally I cannot verify any changes before 5.2.11 but I'm sure you or some of the other people who have reported this can. The sample code is included with the original submission.)
 [2010-02-16 03:13 UTC] jeffersongranatto at mannesoft dot com dot br
I think... this will not cause side effects.

in the file: ext/standard/file.c
in the function: PHP_FUNCTION(tempnam)
remove:
        if (php_check_open_basedir(dir TSRMLS_CC)) {
                RETURN_FALSE;
        }

in the file: main/php_open_temporary_file.c
in the function: PHPAPI int php_open_temporary_fd_ex
include before the comment:
/* Try the directory given as parameter. */
this:
        if (php_check_open_basedir(dir TSRMLS_CC)) {
                return -1;
        }


And remove this:
        !open_basedir_check
It seems it does not work, and now it will be bad.
 [2010-02-16 12:31 UTC] jeffersongranatto at mannesoft dot com dot br
...or active "open_basedir_check" in php_open_temporary_fd
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sat Dec 07 19:01:24 2019 UTC