php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64634 copy() not working with stream wrappers when open_basedir is set
Submitted: 2013-04-11 19:14 UTC Modified: 2014-01-05 20:20 UTC
Votes:1
Avg. Score:4.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: ovidiu at softped dot com Assigned: ab
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.4.14 OS: Windows
Private report: No CVE-ID:
 [2013-04-11 19:14 UTC] ovidiu at softped dot com
Description:
------------
When open_basedir is set to something other than "no value" the copy function 
fails when trying to read from php://input with the following message:

Warning: copy(): open_basedir restriction in effect. File(php://input) is not 
within the allowed path(s): (d:\server)

However, when trying file_get_contents('php://input') it successfully reads the 
data.

Test script:
---------------
<?php
copy('php://input','destination.txt');
?>

Expected result:
----------------
Expected a new file to be created "destination.txt" with the contents of 
php://input

Actual result:
--------------
Warning: copy(): open_basedir restriction in effect. File(php://input) is not 
within the allowed path(s): (d:\server)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-04-19 08:31 UTC] ab@php.net
-Status: Open +Status: Analyzed
 [2013-04-19 08:31 UTC] ab@php.net
Looks like the explicit basedir check can be removed in copy() as in the subsequential stack it calls _php_stream_open_wrapper_ex which would care about it anyway. Though I'm not sure what BC and security breaches it would introduce. 

@ovidiu what prevents you to use something like stream_copy_to_stream() or alike?
 [2013-04-20 18:56 UTC] ovidiu at softped dot net
I was actually using fread / fwrite because I didn't know about 
stream_copy_to_stream() but I will it instead. Thank you.
 [2014-01-05 20:20 UTC] ab@php.net
-Status: Analyzed +Status: Closed -Assigned To: +Assigned To: ab
 [2014-01-05 20:20 UTC] ab@php.net
Ok then, better not to touch the running system :)
 
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Fri Mar 27 01:02:03 2015 UTC