php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #46934 Unable to untighten open_basedir restriction
Submitted: 2008-12-23 08:55 UTC Modified: 2010-06-13 14:54 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kristof dot coomans at telenet dot be Assigned:
Status: Open Package: *General Issues
PHP Version: 5.3CVS-2009-04-10 OS: *
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2008-12-23 08:55 UTC] kristof dot coomans at telenet dot be
Description:
------------
I'm testing the new feature introduced lately, namely "tightening" the open_basedir setting. This might be a very good security measure, to prevent relative directory traversal exploits.

However, sometimes it is useful to tighten the path only for certain code, and untighten it again afterward to its original value. This doesn't seem to work currently.

Reproduce code:
---------------
<?php

// original open_basedir value
echo ini_get( 'open_basedir' ) . PHP_EOL;

$newBaseDir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'var' . DIRECTORY_SEPARATOR;

ini_set( 'open_basedir', $newBaseDir );

// new tightened open_basedir value
echo ini_get( 'open_basedir' ) . PHP_EOL;

// this will fail, as intended, because of the open_basedir restriction
file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' );

ini_restore( 'open_basedir' );

// original open_basedir value again
echo ini_get( 'open_basedir' ) . PHP_EOL;

// this will stail fail, not intended
file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' );

?>

Expected result:
----------------
The last call should be allowed, and a file test.txt should have been created in the same directory as the script.

Actual result:
--------------
Warning: file_put_contents(): open_basedir restriction in effect. File(C:\sites\
trunk\test.txt) is not within the allowed path(s): (&#9617;&#948;?&#9786;&#9792;) in ...

Warning: file_put_contents(C:\sites\trunk\test.txt): failed to open stream: Operation not permitted in ...

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-27 23:46 UTC] bjori@php.net
I don't think the plan was to allow un-tightening it again..
 [2009-04-10 17:46 UTC] jani@php.net
See also bug #47945

 [2009-04-10 17:49 UTC] jani@php.net
Sara, can you either confirm or fix it what Hannes said above?
 [2009-04-12 16:17 UTC] crrodriguez at opensuse dot org
I think that allowing un-tightening is not a very good idea...


<?php 

ini_set( 'open_basedir', $newBaseDir );


//good code

ini_restore( 'open_basedir' );


//bad exploitable code here, "protection" useless...


I think it should be allowed only once.
 [2010-06-13 14:54 UTC] felipe@php.net
-Status: Assigned +Status: Open -Package: Feature/Change Request +Package: *General Issues -Assigned To: pollita +Assigned To:
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Tue Sep 17 08:01:27 2019 UTC