php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42560 Empty directory argument to tempnam yields open_basedir problems
Submitted: 2007-09-05 11:59 UTC Modified: 2009-08-26 05:45 UTC
Votes:13
Avg. Score:4.6 ± 0.6
Reproduced:11 of 11 (100.0%)
Same Version:7 (63.6%)
Same OS:3 (27.3%)
From: Bjorn dot Wiberg at its dot uu dot se Assigned:
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.2.9 OS: IBM AIX 5.3 5300-08-01-0819
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
11 + 21 = ?
Subscribe to this entry?

 
 [2007-09-05 11:59 UTC] Bjorn dot Wiberg at its dot uu dot se
Description:
------------
If open_basedir is used -- even if it includes /tmp among its directories -- calling tempnam() with an empty string as the first (directory) argument does not make PHP fall back to "the system default" as http://se.php.net/manual/en/function.tempnam.php specifies.

Reproduce code:
---------------
// open_basedir: .:/apache/php/lib:/tmp:/usr/local/bin:/usr/local/etc/Counter/data:/apache/htdocs/webdev-its

tempnam('', 'test');


Expected result:
----------------
No errors, temporary file gets created in /tmp or whatever the fallback is.

Actual result:
--------------
From the Apache error log:

Warning: tempnam(): open_basedir restriction in effect. File() is not within the allowed path(s): (.:/apache/php/lib:/tmp:/usr/local/bin:/usr/local/etc/Counter/data:/apache/htdocs/webdev-its) in /apache/htdocs/webdev-its/limesurvey/admin/classes/pear/OLE/PPS/File.php on line 87


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-09-18 08:08 UTC] mb at smartftp dot com
Same problem on Windows 2003 with Apache.
 [2007-11-10 21:44 UTC] mb at smartftp dot com
Bug still present in version 5.2.5.

It's very frustrating to see how the PHP team constantly ignores bug reports.
 [2007-12-07 14:11 UTC] gerome dot fournier at infomaniak dot ch
Same issue with PHP 5.2.5.

Any feedbacks from the PHP team concerning this issue would be greatly
appreciated.
 [2008-04-15 15:10 UTC] gentoo at oliwel dot de
Still broken in 5.2.6 on Linux 32bit - crashes OLE Libs from PEAR used by Excel Spredsheet Writer.
 [2008-09-03 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2009-05-26 18:55 UTC] pub at perseguers dot ch
I confirm this bug on 5.2.6 on Debian Lenny
 [2009-08-25 19:16 UTC] rick dot g777 at gmail dot com
Still present in PHP 5.2.9
 [2009-08-26 05:36 UTC] Bjorn dot Wiberg at its dot uu dot se
I also verified this, the problem is still present in PHP 5.2.9:

Warning: tempnam(): open_basedir restriction in effect. File() is not within the allowed path(s): (.:/apache/php/lib/php:/opt/freeware/bin:/tmp:/usr/local/bin:/usr/local/etc/Counter/data:/apache/htdocs/bwiberg) in /apache/htdocs/bwiberg/test/tempnam.php on line 2 

(and no /tmp/test file present)
 [2009-08-26 05:45 UTC] Bjorn dot Wiberg at its dot uu dot se
(Don't know about 5.2.10; bug #48276 hinders us from installing that one on our systems, so personally I cannot verify any changes before 5.2.11 but I'm sure you or some of the other people who have reported this can. The sample code is included with the original submission.)
 [2010-02-16 03:13 UTC] jeffersongranatto at mannesoft dot com dot br
I think... this will not cause side effects.

in the file: ext/standard/file.c
in the function: PHP_FUNCTION(tempnam)
remove:
        if (php_check_open_basedir(dir TSRMLS_CC)) {
                RETURN_FALSE;
        }

in the file: main/php_open_temporary_file.c
in the function: PHPAPI int php_open_temporary_fd_ex
include before the comment:
/* Try the directory given as parameter. */
this:
        if (php_check_open_basedir(dir TSRMLS_CC)) {
                return -1;
        }


And remove this:
        !open_basedir_check
It seems it does not work, and now it will be bad.
 [2010-02-16 12:31 UTC] jeffersongranatto at mannesoft dot com dot br
...or active "open_basedir_check" in php_open_temporary_fd
 [2020-12-20 21:58 UTC] sji at sj-i dot dev
https://github.com/php/php-src/pull/6526

This PR fixes the problem.
 [2021-01-19 10:45 UTC] nikic@php.net
Automatic comment on behalf of shinji.igarashi@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5d31ee302db073d5e99cf307315d2d631eaa34a5
Log: Fixed bug #42560
 [2021-01-19 10:45 UTC] nikic@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 12:01:27 2024 UTC