php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53516 open_basedir BUG introduced in PHP 5.2.15
Submitted: 2010-12-10 11:28 UTC Modified: 2010-12-10 13:50 UTC
Votes:4
Avg. Score:5.0 ± 0.0
Reproduced:3 of 4 (75.0%)
Same Version:3 (100.0%)
Same OS:2 (66.7%)
From: ofi at evil dot net dot pl Assigned: iliaa
Status: Closed Package: Streams related
PHP Version: 5.2.15 OS: Linux 2.6.36.1
Private report: No CVE-ID:
 [2010-12-10 11:28 UTC] ofi at evil dot net dot pl
Description:
------------
Just look at:
http://svn.php.net/viewvc/php/php-src/branches/PHP_5_2/main/fopen_wrappers.c?r1=303823&r2=306136

and

http://svn.php.net/viewvc/php/php-src/branches/PHP_5_3/main/fopen_wrappers.c?r1=305507&r2=305698

'-1' is missing in 5_2 branch

Test script:
---------------
Not needed - just enable open_basedir.

Expected result:
----------------
Working php script.

Actual result:
--------------
Open_basedir restriction...

Patches

open_basedir-5.2.15-fix.patch (last revision 2010-12-10 10:44 UTC) by ofi at evil dot net dot pl)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-10 13:50 UTC] iliaa@php.net
Automatic comment from SVN on behalf of iliaa
Revision: http://svn.php.net/viewvc/?view=revision&revision=306184
Log: Fixed bug #53516 (Regression in open_basedir handling).
 [2010-12-10 13:50 UTC] iliaa@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: iliaa
 [2010-12-10 13:50 UTC] iliaa@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 [2010-12-15 14:50 UTC] joho at boojam dot se
Wouldn't this merit 5.2.16 considering it's "quite" fatal?
 [2011-03-02 12:59 UTC] webmaster at imposit dot com
This seems not to be solved in 5.2.17 either
for example
open_basedir = /var/www

within /var/www/login.php  has
include ('step2.php');
/var/www/step2.php exist (same right as other files, readable...)
openbasedir restriction denies access to the file

you need to include('./step2.php')
to get it work


this is not possible, on my hosts running tousands of different php scripts
does work until and including version 5.2.14
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 03:01:55 2014 UTC