PHP :: Bug #44391 :: open_basedir prohibits creating a new file within allowed path

Bug #44391

open_basedir prohibits creating a new file within allowed path

Submitted:

2008-03-10 12:39 UTC

Modified:

2008-03-20 13:49 UTC

Votes:	1
Avg. Score:	5.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

david at dfoerster dot de

Assigned:

Status:

Wont fix

Package:

Safe Mode/open_basedir

PHP Version:

5.2.5

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

[2008-03-10 12:39 UTC] david at dfoerster dot de

Description:
------------
When trying to create a new file within a symlinked document root, open_basedir raises an error allthough the access should be granted.

The error message is obviously wrong:

open_basedir restriction in effect. File(/somepath/somefile) is not within the allowed path(s): (/somepath)

(Because the file _is_ in the allowed path.)

Reproduce code:
---------------
Create a directory and a symlink to it (both on the same level).
Setup an Apache host with the document root and open_basedir set to the symlink.
Create a PHP script within the symlink-directory trying to touch a file in the symlinked directory using the absolute path.

Expected result:
----------------
The file gets created as it's location is within open_basedir

Actual result:
--------------
An error message stating that the file /somesymlinkedpath/file is not within the allowed path /somesymlinkedpath.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-03-10 12:50 UTC] david at dfoerster dot de

I'm aware, that this bug has been reported before (30188) and is mentioned in the documentation.

However, documenting the bug doesn't help.

I suggest fixing this bug by treating the creation of files the same as the creation of directories which works fine.

[2008-03-10 16:08 UTC] felipe@php.net

Please, Keep the summary.

[2008-03-10 16:22 UTC] steffann@php.net

This is expected behaviour. If open_basedir was allowed to follow symlinks, the protection would be easy to circumvent. The solution is to configure the real basedir, not the symlinked one.

You expect "The file gets created as it's location is within open_basedir", but this is not true. The real location of the file is where the symlink points to.

[2008-03-20 13:49 UTC] david at dfoerster dot de

The problem also occurs, when the open_basedir path is no symlink but the real path.

Why should the creation of files be treated differently from the creation of directories? mkdir works fine and symlinks get resolved.

Fixing this bug has no security implication whatsoever but only improves usability.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 14:01:32 2024 UTC