|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44391 open_basedir prohibits creating a new file within allowed path
Submitted: 2008-03-10 12:39 UTC Modified: 2008-03-20 13:49 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: david at dfoerster dot de Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 5.2.5 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-03-10 12:39 UTC] david at dfoerster dot de
When trying to create a new file within a symlinked document root, open_basedir raises an error allthough the access should be granted.

The error message is obviously wrong:

open_basedir restriction in effect. File(/somepath/somefile) is not within the allowed path(s): (/somepath)

(Because the file _is_ in the allowed path.)

Reproduce code:
Create a directory and a symlink to it (both on the same level).
Setup an Apache host with the document root and open_basedir set to the symlink.
Create a PHP script within the symlink-directory trying to touch a file in the symlinked directory using the absolute path.

Expected result:
The file gets created as it's location is within open_basedir

Actual result:
An error message stating that the file /somesymlinkedpath/file is not within the allowed path /somesymlinkedpath.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-10 12:50 UTC] david at dfoerster dot de
I'm aware, that this bug has been reported before (30188) and is mentioned in the documentation.

However, documenting the bug doesn't help.

I suggest fixing this bug by treating the creation of files the same as the creation of directories which works fine.
 [2008-03-10 16:08 UTC]
Please, Keep the summary.
 [2008-03-10 16:22 UTC]
This is expected behaviour. If open_basedir was allowed to follow symlinks, the protection would be easy to circumvent. The solution is to configure the real basedir, not the symlinked one.

You expect "The file gets created as it's location is within open_basedir", but this is not true. The real location of the file is where the symlink points to.

 [2008-03-20 13:49 UTC] david at dfoerster dot de
The problem also occurs, when the open_basedir path is no symlink but the real path.

Why should the creation of files be treated differently from the creation of directories? mkdir works fine and symlinks get resolved.

Fixing this bug has no security implication whatsoever but only improves usability.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Dec 02 02:01:26 2023 UTC