php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #44391 open_basedir prohibits creating a new file within allowed path
Submitted: 2008-03-10 12:39 UTC Modified: 2008-03-20 13:49 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: david at dfoerster dot de Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 5.2.5 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: david at dfoerster dot de
New email:
PHP Version: OS:

 

 [2008-03-10 12:39 UTC] david at dfoerster dot de
Description:
------------
When trying to create a new file within a symlinked document root, open_basedir raises an error allthough the access should be granted.

The error message is obviously wrong:

open_basedir restriction in effect. File(/somepath/somefile) is not within the allowed path(s): (/somepath)

(Because the file _is_ in the allowed path.)

Reproduce code:
---------------
Create a directory and a symlink to it (both on the same level).
Setup an Apache host with the document root and open_basedir set to the symlink.
Create a PHP script within the symlink-directory trying to touch a file in the symlinked directory using the absolute path.

Expected result:
----------------
The file gets created as it's location is within open_basedir

Actual result:
--------------
An error message stating that the file /somesymlinkedpath/file is not within the allowed path /somesymlinkedpath.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-03-10 12:50 UTC] david at dfoerster dot de
I'm aware, that this bug has been reported before (30188) and is mentioned in the documentation.

However, documenting the bug doesn't help.

I suggest fixing this bug by treating the creation of files the same as the creation of directories which works fine.
 [2008-03-10 16:08 UTC] felipe@php.net
Please, Keep the summary.
 [2008-03-10 16:22 UTC] steffann@php.net
This is expected behaviour. If open_basedir was allowed to follow symlinks, the protection would be easy to circumvent. The solution is to configure the real basedir, not the symlinked one.

You expect "The file gets created as it's location is within open_basedir", but this is not true. The real location of the file is where the symlink points to.

 [2008-03-20 13:49 UTC] david at dfoerster dot de
The problem also occurs, when the open_basedir path is no symlink but the real path.

Why should the creation of files be treated differently from the creation of directories? mkdir works fine and symlinks get resolved.

Fixing this bug has no security implication whatsoever but only improves usability.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Nov 26 23:03:13 2021 UTC