php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #46925 when open_basedir="." the working directory is set to the executable location
Submitted: 2008-12-22 11:55 UTC Modified: 2021-05-20 16:29 UTC
Votes:7
Avg. Score:2.9 ± 0.8
Reproduced:5 of 6 (83.3%)
Same Version:3 (60.0%)
Same OS:4 (80.0%)
From: eyal at zend dot com Assigned:
Status: Open Package: Safe Mode/open_basedir
PHP Version: 5.2.8 OS: Windows *
Private report: No CVE-ID: None
View Developer Edit
 [2008-12-22 11:55 UTC] eyal at zend dot com 
Description:
------------
NOTE: Tested with FastCGI module on IIS 7.
1. Verify you have info.php in your docroot.
2. Set the directive open_basedir="."
3. Request the script info.php



Reproduce code:
---------------
<?php phpinfo(): ?>

Expected result:
----------------
The phpinfo() output




Actual result:
--------------
PHP Warning:  Unknown: open_basedir restriction in effect. File(C:\inetpub\wwwroot\info.php) is not within the allowed path(s): (.) in Unknown on line 0


To verify the location that is not restricted you can do the following:
Add a virtual directory to the default web site with a physical path of the php-fastCGI.exe and put the info.php there as well.

Now you can see that when requesting the file from the virtual directory you will receive the phpinfo() output.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-23 15:00 UTC] pajoye@php.net 
Do we really want to support relative path? It may (incidentally) have worked before but I can't think of any sane usage of a relative path for open_basedir.
 [2017-10-24 07:50 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: dmitry +Assigned To:
 [2021-05-03 12:15 UTC] cmb@php.net 
Related To: Bug #77474
 [2021-05-03 12:18 UTC] cmb@php.net 
We even document[1]:

| The special value . indicates that the working directory of the
| script will be used as the base-directory.

[1] <https://www.php.net/manual/en/ini.core.php#ini.open-basedir>
 [2021-05-20 16:29 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem
 [2021-05-20 16:29 UTC] cmb@php.net 
Well, '.' refers to the current working directory, and on startup,
that defaults to the location of the php-cgi executable, when run
as (F)CGI.  If you set open_basedir only at the request level
(i.e. from inside a PHP script), '.' works as advertized in the
manual.

Note that the php executable does not check the given script for
open_basedir violations at all.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC