php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #46934 Unable to untighten open_basedir restriction
Submitted: 2008-12-23 08:55 UTC Modified: 2020-10-17 14:00 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kristof dot coomans at telenet dot be Assigned:
Status: Suspended Package: *General Issues
PHP Version: 5.3CVS-2009-04-10 OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2008-12-23 08:55 UTC] kristof dot coomans at telenet dot be 
Description:
------------
I'm testing the new feature introduced lately, namely "tightening" the open_basedir setting. This might be a very good security measure, to prevent relative directory traversal exploits.

However, sometimes it is useful to tighten the path only for certain code, and untighten it again afterward to its original value. This doesn't seem to work currently.

Reproduce code:
---------------
<?php

// original open_basedir value
echo ini_get( 'open_basedir' ) . PHP_EOL;

$newBaseDir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'var' . DIRECTORY_SEPARATOR;

ini_set( 'open_basedir', $newBaseDir );

// new tightened open_basedir value
echo ini_get( 'open_basedir' ) . PHP_EOL;

// this will fail, as intended, because of the open_basedir restriction
file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' );

ini_restore( 'open_basedir' );

// original open_basedir value again
echo ini_get( 'open_basedir' ) . PHP_EOL;

// this will stail fail, not intended
file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' );

?>

Expected result:
----------------
The last call should be allowed, and a file test.txt should have been created in the same directory as the script.

Actual result:
--------------
Warning: file_put_contents(): open_basedir restriction in effect. File(C:\sites\
trunk\test.txt) is not within the allowed path(s): (&#9617;&#948;?&#9786;&#9792;) in ...

Warning: file_put_contents(C:\sites\trunk\test.txt): failed to open stream: Operation not permitted in ...

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-27 23:46 UTC] bjori@php.net 
I don't think the plan was to allow un-tightening it again..
 [2009-04-10 17:46 UTC] jani@php.net 
See also bug #47945
 [2009-04-10 17:49 UTC] jani@php.net 
Sara, can you either confirm or fix it what Hannes said above?
 [2009-04-12 16:17 UTC] crrodriguez at opensuse dot org 
I think that allowing un-tightening is not a very good idea...


<?php 

ini_set( 'open_basedir', $newBaseDir );


//good code

ini_restore( 'open_basedir' );


//bad exploitable code here, "protection" useless...


I think it should be allowed only once.
 [2010-06-13 14:54 UTC] felipe@php.net
-Status: Assigned +Status: Open -Package: Feature/Change Request +Package: *General Issues -Assigned To: pollita +Assigned To:
 [2020-10-17 14:00 UTC] cmb@php.net
-Status: Open +Status: Suspended
 [2020-10-17 14:00 UTC] cmb@php.net 
Obviously, this feature would require discussion for which this
bugtracker is unsuitable.  So, if you're still interested in this
feature, please forward the request to the internals mailing
list[1].  For the time being, I'm suspending this ticket.

[1] <https://www.php.net/mailing-lists.php#internals>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Dec 26 11:01:30 2024 UTC