php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69240 is_dir() warns of open_basedir restriction on non-existent directory in config
Submitted: 2015-03-15 10:01 UTC Modified: 2015-05-31 18:51 UTC
Votes:2
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (50.0%)
From: andrea dot cristaudo at gmail dot com Assigned:
Status: Verified Package: Safe Mode/open_basedir
PHP Version: 5.5.22 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2015-03-15 10:01 UTC] andrea dot cristaudo at gmail dot com
Description:
------------
If open_basedir is active, file_exists(), as well as is_dir() and 
is_file(), throw an open_basedir warning if you check a directory mentioned in the open_basedir configuration if that directory is non-existent.

Same result on v5.5.9 and v.5.3.3 that I've tested on.

Somehow related to https://bugs.php.net/bug.php?id=41518 and https://bugs.php.net/bug.php?id=24313

Test script:
---------------
#php -d open_basedir=/tmp -r 'var_dump(is_dir("/tmp"));'

#php -d open_basedir=/tmp2 -r 'var_dump(is_dir("/tmp2"));'

Expected result:
----------------
bool(true)

bool(false)

Actual result:
--------------
bool(true)

PHP Warning:  is_dir(): open_basedir restriction in effect. File(/tmp2) is not within the allowed path(s): (/tmp2) in Command line code on line 1
PHP Stack trace:
PHP   1. {main}() Command line code:0
PHP   2. is_dir() Command line code:1
bool(false)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-16 07:53 UTC] fa@php.net
-Status: Open +Status: Verified
 [2015-03-16 07:53 UTC] fa@php.net
Verified on 5.5.24-dev

Output on 5.6.4 is
bool(true)
bool(fals)
 [2015-05-19 11:03 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2015-05-19 11:03 UTC] cmb@php.net
Related to bug #52065.
 [2015-05-31 18:51 UTC] cmb@php.net
-Assigned To: cmb +Assigned To:
 [2015-10-09 15:45 UTC] ben at indietorrent dot org
I should note also that the \ErrorException's error message is invalid, too, in that the message is illogical and contradictory.

Here is an example:

is_dir(): open_basedir restriction in effect. File(/srv/www/example.com/web) is not within the allowed path(s): (/srv/www/example.com/web)

My point is that the referenced file (which is in fact a directory, but that's beside the point) is indeed present in the allow path(s) list.

It bears mention that this contradictory message seems to be a product of this bug. In other words, the contradictory message occurs only when the directory in question does not exist on the filesystem.
 [2016-08-06 16:02 UTC] ben at indietorrent dot org
A follow-up to my previous comment.

I'm not sure if or when the exact message was changed, but having encountered this more recently (in PHP 7), the \ErrorException message is in fact correct in that it notes (too subtly, in my opinion) that the *File* is not within the allowed paths.

Maybe I had simply overlooked this most important distinction in the error message: the message is referring to a *file*, not a *directory*.

Let's look at a clearer example of this problem. This is triggered in Symfony:

----
ErrorException in ExecutableFinder.php line 63:
is_executable(): open_basedir restriction in effect. File(/usr/share/php) is not within the allowed path(s): (/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/usr/local/zend/var/zray/extensions:/usr/local/zend/share:/usr/local/zend/var/plugins)

is_dir(): open_basedir restriction in effect. File(/srv/www/example.com/web) is not within the allowed path(s): (/srv/www/example.com/web)
----

What is actually happening here is that Symfony is poking-around for PHP executable locations and calls `is_executable(/usr/share/php)`.

The reason for which the message is so confusing (in my opinion) is that the file for which Symfony is looking, `/usr/share/php`, actually points to a *directory* on many systems, such as Debian/Ubuntu GNU/Linux. Until I studied the message more carefully, I thought, "This is so strange... the very directory for which PHP is looking is the first one listed in the open_basedir directive!"

I suppose the important question is whether or not the \ErrorException message changes when I call is_dir('/usr/share/php') or scandir('/usr/share/php'). I will test this soon.

If not, then the message is ambiguous, and the underlying logic should really be reworked to make clear whether PHP is attempting to access a file or a directory. One might argue that there is no meaningful distinction between a file and a directory where the underlying mechanisms are concerned, but if that is true, the message is then invalid.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Sep 18 21:01:27 2018 UTC