php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #53263 Allow realpath cache to function even with open_basedir enabled
Submitted: 2010-11-08 14:17 UTC Modified: 2010-11-08 17:44 UTC
Votes:25
Avg. Score:3.6 ± 0.9
Reproduced:9 of 12 (75.0%)
Same Version:0 (0.0%)
Same OS:6 (66.7%)
From: tomsommer@php.net Assigned:
Status: Open Package: Safe Mode/open_basedir
PHP Version: 5.3.3 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tomsommer@php.net
New email:
PHP Version: OS:

 

 [2010-11-08 14:17 UTC] tomsommer@php.net
Description:
------------
As described in bug #52312 - realpath cache is disabled when open_basedir is enabled. Would it be possible to either:

1) Fix the security problem related to having both enabled at the same time
2) Add a php.ini or ./configure toggle to enable both at the same time, overriding the security aspect in order to gain performance.

Thanks


Patches

asdf (last revision 2014-11-07 12:32 UTC) by asdf at gmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-08 17:44 UTC] rasmus@php.net
I don't think the security problem is fixable.  We have no way to prevent the contents behind a cache entry from changing which is the root of the security problem.  And I don't see the point in open_basedir if you remove the security aspect.  The less secure toggle is to simply turn off open_basedir.  An open_basedir feature that doesn't actually guarantee that users can't open files outside of the specified base directory isn't useful.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC