php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #46925 when open_basedir="." the working directory is set to the executable location
Submitted: 2008-12-22 11:55 UTC Modified: 2021-05-20 16:29 UTC
Votes:7
Avg. Score:2.9 ± 0.8
Reproduced:5 of 6 (83.3%)
Same Version:3 (60.0%)
Same OS:4 (80.0%)
From: eyal at zend dot com Assigned:
Status: Open Package: Safe Mode/open_basedir
PHP Version: 5.2.8 OS: Windows *
Private report: No CVE-ID: None
 [2008-12-22 11:55 UTC] eyal at zend dot com
Description:
------------
NOTE: Tested with FastCGI module on IIS 7.
1. Verify you have info.php in your docroot.
2. Set the directive open_basedir="."
3. Request the script info.php



Reproduce code:
---------------
<?php phpinfo(): ?>

Expected result:
----------------
The phpinfo() output




Actual result:
--------------
PHP Warning:  Unknown: open_basedir restriction in effect. File(C:\inetpub\wwwroot\info.php) is not within the allowed path(s): (.) in Unknown on line 0


To verify the location that is not restricted you can do the following:
Add a virtual directory to the default web site with a physical path of the php-fastCGI.exe and put the info.php there as well.

Now you can see that when requesting the file from the virtual directory you will receive the phpinfo() output.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-23 15:00 UTC] pajoye@php.net
Do we really want to support relative path? It may (incidentally) have worked before but I can't think of any sane usage of a relative path for open_basedir.
 [2017-10-24 07:50 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: dmitry +Assigned To:
 [2021-05-03 12:18 UTC] cmb@php.net
We even document[1]:

| The special value . indicates that the working directory of the
| script will be used as the base-directory.

[1] <https://www.php.net/manual/en/ini.core.php#ini.open-basedir>
 [2021-05-20 16:29 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem
 [2021-05-20 16:29 UTC] cmb@php.net
Well, '.' refers to the current working directory, and on startup,
that defaults to the location of the php-cgi executable, when run
as (F)CGI.  If you set open_basedir only at the request level
(i.e. from inside a PHP script), '.' works as advertized in the
manual.

Note that the php executable does not check the given script for
open_basedir violations at all.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 11:01:27 2024 UTC