PHP :: Doc Bug #46925 :: when open_basedir="." the working directory is set to the executable location

when open_basedir="." the working directory is set to the executable location

Submitted:

2008-12-22 11:55 UTC

Modified:

2021-05-20 16:29 UTC

Votes:	7
Avg. Score:	2.9 ± 0.8
Reproduced:	5 of 6 (83.3%)
Same Version:	3 (60.0%)
Same OS:	4 (80.0%)

From:

eyal at zend dot com

Assigned:

Status:

Open

Package:

Safe Mode/open_basedir

PHP Version:

5.2.8

OS:

Windows *

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	eyal at zend dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2008-12-22 11:55 UTC] eyal at zend dot com

Description:
------------
NOTE: Tested with FastCGI module on IIS 7.
1. Verify you have info.php in your docroot.
2. Set the directive open_basedir="."
3. Request the script info.php



Reproduce code:
---------------
<?php phpinfo(): ?>

Expected result:
----------------
The phpinfo() output




Actual result:
--------------
PHP Warning:  Unknown: open_basedir restriction in effect. File(C:\inetpub\wwwroot\info.php) is not within the allowed path(s): (.) in Unknown on line 0


To verify the location that is not restricted you can do the following:
Add a virtual directory to the default web site with a physical path of the php-fastCGI.exe and put the info.php there as well.

Now you can see that when requesting the file from the virtual directory you will receive the phpinfo() output.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-12-23 15:00 UTC] pajoye@php.net

Do we really want to support relative path? It may (incidentally) have worked before but I can't think of any sane usage of a relative path for open_basedir.

[2017-10-24 07:50 UTC] kalle@php.net

-Status: Assigned +Status: Open -Assigned To: dmitry +Assigned To:

[2021-05-03 12:15 UTC] cmb@php.net

Related To: Bug #77474

[2021-05-03 12:18 UTC] cmb@php.net

We even document[1]:

| The special value . indicates that the working directory of the
| script will be used as the base-directory.

[1] <https://www.php.net/manual/en/ini.core.php#ini.open-basedir>

[2021-05-20 16:29 UTC] cmb@php.net

-Type: Bug +Type: Documentation Problem

[2021-05-20 16:29 UTC] cmb@php.net

Well, '.' refers to the current working directory, and on startup,
that defaults to the location of the php-cgi executable, when run
as (F)CGI.  If you set open_basedir only at the request level
(i.e. from inside a PHP script), '.' works as advertized in the
manual.

Note that the php executable does not check the given script for
open_basedir violations at all.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Jul 02 18:01:34 2025 UTC