php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #46925 when open_basedir="." the working directory is set to the executable location
Submitted: 2008-12-22 11:55 UTC Modified: 2021-05-20 16:29 UTC
Votes:7
Avg. Score:2.9 ± 0.8
Reproduced:5 of 6 (83.3%)
Same Version:3 (60.0%)
Same OS:4 (80.0%)
From: eyal at zend dot com Assigned:
Status: Open Package: Safe Mode/open_basedir
PHP Version: 5.2.8 OS: Windows *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: eyal at zend dot com
New email:
PHP Version: OS:

 

 [2008-12-22 11:55 UTC] eyal at zend dot com
Description:
------------
NOTE: Tested with FastCGI module on IIS 7.
1. Verify you have info.php in your docroot.
2. Set the directive open_basedir="."
3. Request the script info.php



Reproduce code:
---------------
<?php phpinfo(): ?>

Expected result:
----------------
The phpinfo() output




Actual result:
--------------
PHP Warning:  Unknown: open_basedir restriction in effect. File(C:\inetpub\wwwroot\info.php) is not within the allowed path(s): (.) in Unknown on line 0


To verify the location that is not restricted you can do the following:
Add a virtual directory to the default web site with a physical path of the php-fastCGI.exe and put the info.php there as well.

Now you can see that when requesting the file from the virtual directory you will receive the phpinfo() output.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-23 15:00 UTC] pajoye@php.net
Do we really want to support relative path? It may (incidentally) have worked before but I can't think of any sane usage of a relative path for open_basedir.
 [2017-10-24 07:50 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: dmitry +Assigned To:
 [2021-05-03 12:18 UTC] cmb@php.net
We even document[1]:

| The special value . indicates that the working directory of the
| script will be used as the base-directory.

[1] <https://www.php.net/manual/en/ini.core.php#ini.open-basedir>
 [2021-05-20 16:29 UTC] cmb@php.net
-Type: Bug +Type: Documentation Problem
 [2021-05-20 16:29 UTC] cmb@php.net
Well, '.' refers to the current working directory, and on startup,
that defaults to the location of the php-cgi executable, when run
as (F)CGI.  If you set open_basedir only at the request level
(i.e. from inside a PHP script), '.' works as advertized in the
manual.

Note that the php executable does not check the given script for
open_basedir violations at all.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 17:01:29 2024 UTC