php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #63904 open_basedir is not respected for .user.ini files
Submitted: 2013-01-04 16:01 UTC Modified: 2021-07-12 17:23 UTC
From: lekensteyn at gmail dot com Assigned:
Status: Open Package: Safe Mode/open_basedir
PHP Version: 5.4.10 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lekensteyn at gmail dot com
New email:
PHP Version: OS:

 

 [2013-01-04 16:01 UTC] lekensteyn at gmail dot com 
Description:
------------
(this bug possibly applies to the CGI SAPI too, but I have not checked that.)

In a default configuration for PHP-FPM, the use of .user.ini files is enabled. This feature allows you to put .user.ini interleaved with PHP files.

There is a possibility to bypass open_basedir restrictions by using symlinks. For a given open_basedir = /foo/, a symlink /foo/.user.ini -> /bar/php.ini can be used to read the configuration of /bar/php.ini.

It does not look like a feature, at first I wanted to have a .user.ini just outside the webroot (e.g. web/.user.ini with DOCUMENT_ROOT web/public_html), but having the symlink defeats the advantage of putting it outside the webroot for privacy. (ignoring WWW server abilities to restrict access). Therefore, it must be a bug that open_basedir is not respected for .user.ini files.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-07-12 15:39 UTC] cmb@php.net
-Type: Security +Type: Bug
 [2021-07-12 15:39 UTC] cmb@php.net 
open_basedir bypasses are not considered to be security issues;
cf. <https://externals.io/message/105606>
and <https://externals.io/message/115406>.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 07:01:27 2024 UTC