|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #53597 open_basedir not working as documented
Submitted: 2010-12-23 12:38 UTC Modified: 2011-02-11 08:48 UTC
Avg. Score:3.5 ± 1.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: hsk at fli-leibniz dot de Assigned: pajoye (profile)
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.3.4 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: hsk at fli-leibniz dot de
New email:
PHP Version: OS:


 [2010-12-23 12:38 UTC] hsk at fli-leibniz dot de
the php manual in the section "Description of core php.ini directives"
(, checked on 23-dec-10 11:55 utc)

The restriction specified with open_basedir is actually a prefix, not a
directory name.

this has been so "ever since", but seems now broken at release 5.3.4 -
specifying directory name prefix gives access denied errors, only specifying complete directory name seems to work.

if the described behaviour is intentional, please fix the documentation *and note the change in BIG BOLD LETTERS in the release announcement*, or, better, fix the php-code to behave as documented.

Test script:
phpmyadmin installed and configured in /u/phpMyAdmin-

entry in /usr/lib/php.ini :

open_basedir = /tmp/:/u/phpMyAdmin:/usr/lib/php/

according to the documentation, this should give access to the phpmyadmin installation, and used to do so up to php-5.3.3, but now, as of php-5.3.4, gives an error message
open_basedir restriction in effect. File(/u/phpMyAdmin- is not within the allowed path(s): (/tmp/:/u/phpMyAdmin:/usr/lib/php/)

it works when changing /usr/lib/php.ini to 
open_basedir = /tmp/:/u/phpMyAdmin-


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-24 05:29 UTC]
-Status: Open +Status: Duplicate -Package: *Directory/Filesystem functions +Package: Safe Mode/open_basedir
 [2010-12-24 05:29 UTC]
Duplicate of bug #53577.
 [2011-01-10 14:38 UTC] hsk at fli-leibniz dot de
#53597 is definitely *not* a duplicate of #53577, please change status

open_basedir as of 5.3.4 (and 5.3.5 as well) no longer allows to specify directory prefixes, in contradiction to the documentation

e.g., setting
  open_basedir = /u/phpMyAdmin
should accept files in /u/phpMyAdmin-, but does not
 [2011-01-10 15:34 UTC]
-Status: Duplicate +Status: Re-Opened
 [2011-01-10 15:34 UTC]
Ah, I see what you're getting at now. My apologies for closing the bug.
 [2011-01-10 16:31 UTC]
-Status: Re-Opened +Status: To be documented -Assigned To: +Assigned To: pajoye
 [2011-01-10 16:31 UTC]
Docs need to be updated but that won't change.
 [2011-01-10 16:31 UTC]
Docs need to be updated but that won't change.
 [2011-01-12 17:25 UTC] chroom dot chroom at gmail dot com
1 >> I confirm: open_basedir does not act as prefix

I experience the same problem with an earlier version: PHP 5.3.2 (API 20090626) on 32-bit Ubuntu 10.04.

2 >> A new case: open_basedir ending with a slash blocks PHP

Another problem with the same config option is: path ending with a slash practically blocks PHP in an annoying way. With open_basedir set to "/var/www/" it is expected to be able to serve files from this directory, but it doesn't work. This is not only different from the docs, this is nonsense. It's the behaviour that should be changed, not only the docs. So please change the bug status.
This excerpt from errorlog documents this absurd:

PHP Warning:  Unknown: open_basedir restriction in effect. File(/var/
www/bits.php) is not within the allowed path(s): (/var/www/) in Unknown on line 0
 [2011-02-10 16:58 UTC]
-Status: To be documented +Status: Closed
 [2011-02-10 16:58 UTC]
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

 [2011-02-10 16:58 UTC]
Automatic comment from SVN on behalf of vrana
Log: open_basedir is not prefix anymore (doc bug #53597)
 [2011-02-11 08:48 UTC] hsk at fli-leibniz dot de
ahhh, a bug once documented is a feature :-)

please reopen this case

it's not the documentation that should be changed but the php code so that php again has the behaviour it had ever since

as things are now they introduce an incompatible change to php: the setting open_basedir=/u/phpMyAdmin no longer allows to access e.g. /u/phpMyAdmin-3.3.9-all-languages/index.php

maybe causes the problems described?
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Sep 27 08:03:38 2021 UTC