|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #48111 unlink() does not delete symlinks without a target if open_basedir is used
Submitted: 2009-04-29 17:42 UTC Modified: 2021-05-21 12:05 UTC
Avg. Score:3.4 ± 1.4
Reproduced:6 of 7 (85.7%)
Same Version:3 (50.0%)
Same OS:3 (50.0%)
From: simon at stienen dot name Assigned: cmb (profile)
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 5.2.9 OS: FreeBSD 7.1-RELEASE/amd64
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: simon at stienen dot name
New email:
PHP Version: OS:


 [2009-04-29 17:42 UTC] simon at stienen dot name
unlink()ing a symlink with its target missing fails with an open_basedir error.

This might be related to (actual deletion changed, but sanitization still uses target?) and/or (missing target (empty string?) is considered to be outside of open_basedir?)

Reproduce code:

echo "creating link\n";
symlink('nonexisting_target', 'link');

echo "unlinking link\n";

echo "creating target\n";
file_put_contents('nonexisting_target', 'foo');

echo "unlinking link (again)\n";

echo "unlinking target\n";

Expected result:
Run with php -d open_basedir=

creating link
unlinking link
creating target
unlinking link (again)

Warning: unlink(link): No such file or directory in /tmp/- on line 13
unlinking target

Actual result:
Run with php -d open_basedir=/

creating link
unlinking link

Warning: unlink(): open_basedir restriction in effect. File(link) is not within the allowed path(s): (/) in /tmp/- on line 7
creating target
unlinking link (again)
unlinking target


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-04-29 20:39 UTC] simon at stienen dot name
Ok, a possible solution would be to apply the open_basedir check to the parent directory instead of the file or the symlink itself.

I have implemented and slightly tested this, but please consider that my C knowledge is somewhat limited and I have almost no insight into PHPs internals, so please treat these diffs with the necessary care:
 [2010-02-14 20:27 UTC] antoine dot contal+bugs dot php dot net at gmail dot com
Same issue with PHP 5.2.11.
 [2011-04-08 18:21 UTC]
-Package: Feature/Change Request +Package: Safe Mode/open_basedir
 [2021-05-21 12:05 UTC]
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2021-05-21 12:05 UTC]
> Ok, a possible solution would be to apply the open_basedir check
> to the parent directory instead of the file or the symlink itself.

Well, that would require special casing for unlinking symlinks,
which was rejected for bug #29145.
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Wed May 25 14:04:06 2022 UTC