php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #65188 Undocumented change for open_basedir restrictions
Submitted: 2013-07-03 00:44 UTC Modified: 2013-07-04 22:29 UTC
From: lennsen at chello dot at Assigned:
Status: Not a bug Package: *Directory/Filesystem functions
PHP Version: 5.4.16 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lennsen at chello dot at
New email:
PHP Version: OS:

 

 [2013-07-03 00:44 UTC] lennsen at chello dot at
Description:
------------
Between 5.3 and since 5.4 (also 5.5) there was a significant change for its reasons I am not aware of.

If there is some directory e.g. /somedir having a script e.g. index.php then in 5.3 (and lower) it was possible to call this file by setting an apache document root there and if only read access was required, then one could call that vhost with /somedir/index.php without the need of having /somedir within open_basedir

  e.g. http://somedir.domain.com/index.php

since 5.4 this is not possible any more, it returns an error with open_basedir restriction in effect and that the stream could not be opened

I tested this with the very same systems (on 3 different ones), same configure options, same php.ini - the only difference was the PHP version, confirmed with 5.3 (working), 5.4.16, 5.5.0 (both not working)


I guess that it might have something to do with the removal of safe_mode and its checks, perhaps the modifications for the core caused this change, but I can not tell for sure.

As far as possible I adapted the following files from 5.3 to 5.4 by comparison and removing/adding lines to make them work as close as possible to 5.3

main/fopen_wrappers.c
main/streams/streams.c 
main/fopen_wrappers.c
main/streams/plain_wrapper.c

ext/standard/php_fopen_wrapper.c
ext/standard/basic_functions.c
ext/standard/filestat.c
ext/standard/file.c


-- This is just a hint and might not mean anything, but after adapting these files (this was mostly possible until interface changes had to be made, causing gcc/make to abort) I did not see any change in behavior.


The given error is "No input file specified." (sapi fcgi is in use) and error_log gives the following errors:


PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0
PHP Warning:  Unknown: open_basedir restriction in effect. File(/somedir/index.php) is not within the allowed path(s): (/restricted_1/:/restricted_2/) in Unknown on line 0


This also might have to do something with the SAPI.


The main reason behind this is:
- I want to be able to use such a vhost, the php files should be -execute-only-, so opening and parsing index.php from within the browser should be possible
- at the same time, due to the missing entry of /somepath in open_basedir, one must not be able to open /somepath/index.php with e.g. fopen, to see the file's contents (the plain PHP code)


This worked very fine until 5.3.
A solution or alternative to achieve these 2 requirements would be great since I can not stay with 5.3 forever. Please do not suggest code compiling with e.g. Zend Optimizer, RoundCube or similar.

Individual changes in PHP's C source is an option if no generic solution is available.


configuration:
- open_basedir = "/restricted_1/:/restricted_2/"
- read/write access available for GID and UID
- no SELinux
- phpcgi and httpd are being executed with same GID and GID as the file






Expected result:
----------------
opening the resource, http://somedir.domain.com/index.php leads to opening & parsing the file

Actual result:
--------------
fails to open resource, http://somedir.domain.com/index.php
 says 'No input file specified. '

error_log contains 2 errors:

PHP Warning:  Unknown: failed to open stream: Operation not permitted in Unknown on line 0
PHP Warning:  Unknown: open_basedir restriction in effect. File(/somedir/index.php) is not within the allowed path(s): (/restricted_1/:/restricted_2/) in Unknown on line 0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-03 09:52 UTC] johannes@php.net
-Status: Open +Status: Not a bug
 [2013-07-03 09:52 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This was a security discussion around CVE-2010-3436. I don't know if there is a public summary of the "open_basedir minor flaw" security thread from 28 Sep 2010.
 [2013-07-04 22:29 UTC] lennsen at chello dot at
CVE-2010-3436 was fixed in 5.3.4, but this behavior is seen in 5.3.26 as well, obviously that has nothing to do with CVE-2010-3436.

I also reverted the changes in 5.4 which were made in that CVE but that did not help.
 [2013-07-09 18:40 UTC] lennsen at chello dot at
any ideas on this?

At least I would like to see this re-opened as a "bug".
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 19:01:29 2024 UTC