php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53597 open_basedir not working as documented
Submitted: 2010-12-23 12:38 UTC Modified: 2011-02-11 08:48 UTC
Votes:2
Avg. Score:3.5 ± 1.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: hsk at fli-leibniz dot de Assigned: pajoye (profile)
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.3.4 OS: Linux
Private report: No CVE-ID: None
 [2010-12-23 12:38 UTC] hsk at fli-leibniz dot de
Description:
------------
the php manual in the section "Description of core php.ini directives"
(http://www.php.net/manual/en/ini.core.php, checked on 23-dec-10 11:55 utc)
states:

The restriction specified with open_basedir is actually a prefix, not a
directory name.

this has been so "ever since", but seems now broken at release 5.3.4 -
specifying directory name prefix gives access denied errors, only specifying complete directory name seems to work.

if the described behaviour is intentional, please fix the documentation *and note the change in BIG BOLD LETTERS in the release announcement*, or, better, fix the php-code to behave as documented.

Test script:
---------------
phpmyadmin installed and configured in /u/phpMyAdmin-3.3.8.1-all-languages

entry in /usr/lib/php.ini :

open_basedir = /tmp/:/u/phpMyAdmin:/usr/lib/php/

according to the documentation, this should give access to the phpmyadmin installation, and used to do so up to php-5.3.3, but now, as of php-5.3.4, gives an error message
open_basedir restriction in effect. File(/u/phpMyAdmin-3.3.8.1-all-languages/index.php) is not within the allowed path(s): (/tmp/:/u/phpMyAdmin:/usr/lib/php/)

it works when changing /usr/lib/php.ini to 
open_basedir = /tmp/:/u/phpMyAdmin-3.3.8.1-all-languages:/usr/lib/php/


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-24 05:29 UTC] aharvey@php.net
-Status: Open +Status: Duplicate -Package: *Directory/Filesystem functions +Package: Safe Mode/open_basedir
 [2010-12-24 05:29 UTC] aharvey@php.net
Duplicate of bug #53577.
 [2011-01-10 14:38 UTC] hsk at fli-leibniz dot de
#53597 is definitely *not* a duplicate of #53577, please change status

open_basedir as of 5.3.4 (and 5.3.5 as well) no longer allows to specify directory prefixes, in contradiction to the documentation

e.g., setting
  open_basedir = /u/phpMyAdmin
should accept files in /u/phpMyAdmin-3.3.8.1-all-languages, but does not
 [2011-01-10 15:34 UTC] aharvey@php.net
-Status: Duplicate +Status: Re-Opened
 [2011-01-10 15:34 UTC] aharvey@php.net
Ah, I see what you're getting at now. My apologies for closing the bug.
 [2011-01-10 16:31 UTC] pajoye@php.net
-Status: Re-Opened +Status: To be documented -Assigned To: +Assigned To: pajoye
 [2011-01-10 16:31 UTC] pajoye@php.net
Docs need to be updated but that won't change.
 [2011-01-10 16:31 UTC] pajoye@php.net
Docs need to be updated but that won't change.
 [2011-01-12 17:25 UTC] chroom dot chroom at gmail dot com
1 >> I confirm: open_basedir does not act as prefix

I experience the same problem with an earlier version: PHP 5.3.2 (API 20090626) on 32-bit Ubuntu 10.04.

2 >> A new case: open_basedir ending with a slash blocks PHP

Another problem with the same config option is: path ending with a slash practically blocks PHP in an annoying way. With open_basedir set to "/var/www/" it is expected to be able to serve files from this directory, but it doesn't work. This is not only different from the docs, this is nonsense. It's the behaviour that should be changed, not only the docs. So please change the bug status.
This excerpt from errorlog documents this absurd:

PHP Warning:  Unknown: open_basedir restriction in effect. File(/var/
www/bits.php) is not within the allowed path(s): (/var/www/) in Unknown on line 0
 [2011-02-10 16:58 UTC] vrana@php.net
-Status: To be documented +Status: Closed
 [2011-02-10 16:58 UTC] vrana@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.


 [2011-02-10 16:58 UTC] vrana@php.net
Automatic comment from SVN on behalf of vrana
Revision: http://svn.php.net/viewvc/?view=revision&revision=308212
Log: open_basedir is not prefix anymore (doc bug #53597)
 [2011-02-11 08:48 UTC] hsk at fli-leibniz dot de
ahhh, a bug once documented is a feature :-)

please reopen this case

it's not the documentation that should be changed but the php code so that php again has the behaviour it had ever since

as things are now they introduce an incompatible change to php: the setting open_basedir=/u/phpMyAdmin no longer allows to access e.g. /u/phpMyAdmin-3.3.9-all-languages/index.php

maybe http://svn.php.net/viewvc/php/php-src/trunk/main/fopen_wrappers.c?r1=305098&r2=305698 causes the problems described?
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Jan 23 05:01:24 2020 UTC