|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #46934 Unable to untighten open_basedir restriction
Submitted: 2008-12-23 08:55 UTC Modified: 2020-10-17 14:00 UTC
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: kristof dot coomans at telenet dot be Assigned:
Status: Suspended Package: *General Issues
PHP Version: 5.3CVS-2009-04-10 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: kristof dot coomans at telenet dot be
New email:
PHP Version: OS:


 [2008-12-23 08:55 UTC] kristof dot coomans at telenet dot be
I'm testing the new feature introduced lately, namely "tightening" the open_basedir setting. This might be a very good security measure, to prevent relative directory traversal exploits.

However, sometimes it is useful to tighten the path only for certain code, and untighten it again afterward to its original value. This doesn't seem to work currently.

Reproduce code:

// original open_basedir value
echo ini_get( 'open_basedir' ) . PHP_EOL;

$newBaseDir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'var' . DIRECTORY_SEPARATOR;

ini_set( 'open_basedir', $newBaseDir );

// new tightened open_basedir value
echo ini_get( 'open_basedir' ) . PHP_EOL;

// this will fail, as intended, because of the open_basedir restriction
file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' );

ini_restore( 'open_basedir' );

// original open_basedir value again
echo ini_get( 'open_basedir' ) . PHP_EOL;

// this will stail fail, not intended
file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' );


Expected result:
The last call should be allowed, and a file test.txt should have been created in the same directory as the script.

Actual result:
Warning: file_put_contents(): open_basedir restriction in effect. File(C:\sites\
trunk\test.txt) is not within the allowed path(s): (&#9617;&#948;?&#9786;&#9792;) in ...

Warning: file_put_contents(C:\sites\trunk\test.txt): failed to open stream: Operation not permitted in ...


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-12-27 23:46 UTC]
I don't think the plan was to allow un-tightening it again..
 [2009-04-10 17:46 UTC]
See also bug #47945

 [2009-04-10 17:49 UTC]
Sara, can you either confirm or fix it what Hannes said above?
 [2009-04-12 16:17 UTC] crrodriguez at opensuse dot org
I think that allowing un-tightening is not a very good idea...


ini_set( 'open_basedir', $newBaseDir );

//good code

ini_restore( 'open_basedir' );

//bad exploitable code here, "protection" useless...

I think it should be allowed only once.
 [2010-06-13 14:54 UTC]
-Status: Assigned +Status: Open -Package: Feature/Change Request +Package: *General Issues -Assigned To: pollita +Assigned To:
 [2020-10-17 14:00 UTC]
-Status: Open +Status: Suspended
 [2020-10-17 14:00 UTC]
Obviously, this feature would require discussion for which this
bugtracker is unsuitable.  So, if you're still interested in this
feature, please forward the request to the internals mailing
list[1].  For the time being, I'm suspending this ticket.

[1] <>
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Oct 24 19:03:33 2021 UTC