|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #50293 Several openssl functions ignore the VCWD
Submitted: 2009-11-25 15:05 UTC Modified: 2022-06-10 08:46 UTC
Avg. Score:3.9 ± 0.9
Reproduced:5 of 5 (100.0%)
Same Version:5 (100.0%)
Same OS:3 (60.0%)
From: gufophp at gmail dot com Assigned: bukka (profile)
Status: Closed Package: OpenSSL related
PHP Version: 7.4 OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: gufophp at gmail dot com
New email:
PHP Version: OS:


 [2009-11-25 15:05 UTC] gufophp at gmail dot com
incorrect path save export file

Reproduce code:
$ssl_configargs = array("digest_alg" => "OPENSSL_ALGO_SHA1",
"private_key_bits" => 384,"encrypt_key" => false,"basicConstraints" => "CA:true","keyUsage" => "cRLSign, keyCertSign",
"nsCertType" => "sslCA, emailCA");
$dn = array("countryName" => 'IT',"stateOrProvinceName" => 'Italy',
"localityName" => 'city',"organizationName" => 'org',
"organizationalUnitName" => 'unit',"commonName" => 'name' ,"emailAddress" => 'mail' );
$numberofdays = '365';
$pkey = openssl_pkey_new( $ssl_configargs );
$csr = openssl_csr_new( $dn, $privkey, $ssl_configargs );
$sscert = openssl_csr_sign( $csr, null, $privkey, $numberofdays );
openssl_csr_export( $csr, $csrout );
openssl_x509_export( $sscert, $certout );
openssl_x509_export_to_file ($sscert ,'crt_509_sk.crt',false);
openssl_pkey_export( $privkey, $pkeyout, $configargs['licence_pwd' ]);

Expected result:

Actual result:
C:\Programmi\Apache Software Foundation\Apache2.2


bug-50293 (last revision 2010-08-12 01:31 UTC by

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2009-11-25 18:28 UTC]
I think the case is clear, it looks like we do not use VCWD or php stream's api and it fails to get the actual CWD.

I will take a look at it asap.
 [2010-08-12 03:31 UTC]
The following patch has been added/updated:

Patch Name: bug-50293
Revision:   1281576663
 [2010-08-12 03:31 UTC]
I added a roughly untested patch for this, as I have some issues getting openssl to work in my build env, so the patch is more a theory of how it could be fixed.
 [2017-10-24 07:32 UTC]
-Status: Assigned +Status: Open -Assigned To: pajoye +Assigned To:
 [2021-08-13 11:54 UTC]
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2021-08-13 11:54 UTC]
I think full stream support is out of scope for any of the stable
versions (and there is already request #50718 for that), but ZTS
builds not regarding the CWD should be fixed.
 [2021-08-17 13:21 UTC]
-Summary: openssl_****_export_to_file +Summary: Several openssl functions ignore the VCWD -Operating System: win32 only - apache +Operating System: * -PHP Version: 5.2.11 +PHP Version: 7.4
 [2021-08-31 11:58 UTC]
The following pull request has been associated:

Patch Name: Fix #50293: Several openssl functions ignore the VCWD
On GitHub:
 [2021-09-21 15:39 UTC]
-Assigned To: cmb +Assigned To:
 [2022-06-09 18:57 UTC]
Automatic comment on behalf of bukka
Log: Fix bug #50293 and #81713: file path checking in OpenSSL functions
 [2022-06-09 18:57 UTC]
-Status: Verified +Status: Closed
 [2022-06-10 08:46 UTC]
-Assigned To: +Assigned To: bukka
 [2022-06-10 08:46 UTC]
Just for the reference it will land in 8.0.21 and 8.1.8
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri Aug 19 02:03:36 2022 UTC