php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #53514 open_basedir broken in PHP 5.2.15, denies access to all files
Submitted: 2010-12-10 09:24 UTC Modified: 2010-12-10 12:42 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:2 (100.0%)
From: tomsommer@php.net Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 5.2.15 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
 [2010-12-10 09:24 UTC] tomsommer@php.net 
Description:
------------
The fix for CVE-2010-3436 broke open_basedir

Might also affect PHP 5.3.4

consider

    php_admin_value open_basedir "/var/www/www.example.dk/:/var/www/tmp/:/usr/local/bin/safe/"

The DocumentRoot of the site is "/var/www/www.example.dk/www/"

Opening /var/www/www.example.dk/www/index.php (http://example.dk/index.php) triggers:

Warning: Unknown: open_basedir restriction in effect. File(/var/www/www.example.dk/www/index.php) is not within the allowed path(s): (/var/www/www.example.dk/:/var/www/tmp/:/usr/local/bin/safe/) in Unknown on line 0

Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0

Warning: Unknown: open_basedir restriction in effect. File(/var/www/www.example.dk/www/index.php) is not within the allowed path(s): (/var/www/www.example.dk/:/var/www/tmp/:/usr/local/bin/safe/) in Unknown on line 0

Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0

Fatal error: Unknown: Failed opening required '/var/www/www.example.dk/www/index.php' (include_path='.:/usr/local/lib/php') in Unknown on line 0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-10 09:26 UTC] tomsommer@php.net 
The commit that presumably broke it: http://svn.php.net/viewvc/php/php-src/trunk/main/fopen_wrappers.c?r1=303824&r2=303823&pathrev=303824
 [2010-12-10 09:33 UTC] cataphract@php.net 
See also http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg847440.html
 [2010-12-10 09:45 UTC] tomsommer@php.net
-Summary: open_basedir broken in PHP 5.3.15, denies all access to files +Summary: open_basedir broken in PHP 5.2.15 and PHP 5.3.4, denies access to all files
 [2010-12-10 09:50 UTC] cataphract@php.net 
I can't reproduce this with:

/home/glopes/php/php5.3/bin/php -d open_basedir=/home/glopes/ -r "echo fopen('a.php', 'r');"

Are you sure you're not using RC1?
 [2010-12-10 09:55 UTC] tomsommer@php.net 
Only tested in PHP 5.2.15, downloaded an hour ago

# /usr/local/src/php-5.2.15/sapi/cli/php -d open_basedir=/root/ -r "echo fopen('/root/a.php', 'r');"

Warning: fopen(): open_basedir restriction in effect. File(/root/a.php) is not within the allowed path(s): (/root/) in Command line code on line 1

Warning: fopen(/root/a.php): failed to open stream: Operation not permitted in Command line code on line 1
 [2010-12-10 10:02 UTC] tomsommer@php.net
-Summary: open_basedir broken in PHP 5.2.15 and PHP 5.3.4, denies access to all files +Summary: open_basedir broken in PHP 5.2.15, denies access to all files
 [2010-12-10 10:03 UTC] tomsommer@php.net 
Cannot reproduce in PHP 5.3.4, seems to only affect 5.2.15
 [2010-12-10 10:03 UTC] cataphract@php.net 
Yes, in 5.2 even this fails:

/home/glopes/php/php5.2/bin/php -d open_basedir=/ -r "echo fopen('a.php', 'r');"

Warning: fopen(): open_basedir restriction in effect. File(a.php) is not within the allowed path(s): (/) in Command line code on line 1
 [2010-12-10 11:46 UTC] ofi at evil dot net dot pl 
Please see bug #53516

Sorry for double-posting a bug
 [2010-12-10 12:42 UTC] pajoye@php.net
-Status: Open +Status: Duplicate
 [2010-12-10 12:42 UTC] pajoye@php.net 
See #53516
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Oct 26 17:00:01 2025 UTC