php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53398 Latest open_basedir() changes break accessing files in subdirs
Submitted: 2010-11-24 16:01 UTC Modified: 2010-11-24 16:23 UTC
From: info at glsys dot eu Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 5.3.3 OS: Debian
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: info at glsys dot eu
New email:
PHP Version: OS:

 

 [2010-11-24 16:01 UTC] info at glsys dot eu
Description:
------------
Hi!

Real PHP version: Debian unstable 5.3.3-4
Apache2: Debian 2.2.16-4 mpm-prefork
Safe_mode: off


As the changelog says:
+ possible flaw in open_basedir (CVE-2010-3436)

After this upgrade I can not include/open files if they are in an open_basedir subdirectory.

One more interesting thing:

My Virtualhost system is located under /data/www.
I had a symlink at /var/www pointing to /data/www.

After this upgrade the I had issues whit open_basedir if I used /var/www.

Maybe it is related to the subdir issue.

Swifty

Actual result:
--------------
[Wed Nov 24 15:04:44 2010] [error] [client w.x.y.z] PHP Warning:  Unknown: open_basedir restriction in effect. File(/data/www/include/modules/img.php) is not within the allowed path(s): (/data/www/!Admin/:/data/www/!Error/:/data/www/include/:/data/www/sites/some.domain/) in Unknown on line 0, referer: http://some.domain/index.php
[Wed Nov 24 15:04:44 2010] [error] [client w.x.y.z] PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0, referer: http://some.domain/index.php
[Wed Nov 24 15:04:44 2010] [error] [client w.x.y.z] PHP Fatal error:  Unknown: Failed opening required '/var/www/include/modules/img.php' (include_path='.:/usr/share/php:/data/www/include') in Unknown on line 0, referer: http://some.domain/index.php

[Wed Nov 24 15:06:05 2010] [error] [client w.x.y.z] PHP Warning:  filemtime() [http://www.php.net/en/manual/function.filemtime.php]: stat failed for /data/www/sites/some.domain/modules/img.php in /data/www/include/modules/ob.cache.php on line 28, referer: http://some.domain/index.php


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-11-24 16:10 UTC] info at glsys dot eu
-Package: Security related +Package: Safe Mode/open_basedir
 [2010-11-24 16:10 UTC] info at glsys dot eu
Sorry :D
Changed from Security to Safe Mode/open_basedir... :D

Swifty
 [2010-11-24 16:23 UTC] pajoye@php.net
-Status: Open +Status: Bogus
 [2010-11-24 16:23 UTC] pajoye@php.net
Already reported and fixed in SVN. However this fix was never released (applied in 5.3.4RC, Deb should update their patch.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 14:01:25 2019 UTC