|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69240 is_dir() warns of open_basedir restriction on non-existent directory in config
Submitted: 2015-03-15 10:01 UTC Modified: 2015-05-31 18:51 UTC
Avg. Score:4.5 ± 0.5
Reproduced:4 of 4 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (25.0%)
From: andrea dot cristaudo at gmail dot com Assigned:
Status: Verified Package: Safe Mode/open_basedir
PHP Version: 5.5.22 OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: andrea dot cristaudo at gmail dot com
New email:
PHP Version: OS:


 [2015-03-15 10:01 UTC] andrea dot cristaudo at gmail dot com
If open_basedir is active, file_exists(), as well as is_dir() and 
is_file(), throw an open_basedir warning if you check a directory mentioned in the open_basedir configuration if that directory is non-existent.

Same result on v5.5.9 and v.5.3.3 that I've tested on.

Somehow related to and

Test script:
#php -d open_basedir=/tmp -r 'var_dump(is_dir("/tmp"));'

#php -d open_basedir=/tmp2 -r 'var_dump(is_dir("/tmp2"));'

Expected result:


Actual result:

PHP Warning:  is_dir(): open_basedir restriction in effect. File(/tmp2) is not within the allowed path(s): (/tmp2) in Command line code on line 1
PHP Stack trace:
PHP   1. {main}() Command line code:0
PHP   2. is_dir() Command line code:1


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-03-16 07:53 UTC]
-Status: Open +Status: Verified
 [2015-03-16 07:53 UTC]
Verified on 5.5.24-dev

Output on 5.6.4 is
 [2015-05-19 11:03 UTC]
-Assigned To: +Assigned To: cmb
 [2015-05-19 11:03 UTC]
Related to bug #52065.
 [2015-05-31 18:51 UTC]
-Assigned To: cmb +Assigned To:
 [2015-10-09 15:45 UTC] ben at indietorrent dot org
I should note also that the \ErrorException's error message is invalid, too, in that the message is illogical and contradictory.

Here is an example:

is_dir(): open_basedir restriction in effect. File(/srv/www/ is not within the allowed path(s): (/srv/www/

My point is that the referenced file (which is in fact a directory, but that's beside the point) is indeed present in the allow path(s) list.

It bears mention that this contradictory message seems to be a product of this bug. In other words, the contradictory message occurs only when the directory in question does not exist on the filesystem.
 [2016-08-06 16:02 UTC] ben at indietorrent dot org
A follow-up to my previous comment.

I'm not sure if or when the exact message was changed, but having encountered this more recently (in PHP 7), the \ErrorException message is in fact correct in that it notes (too subtly, in my opinion) that the *File* is not within the allowed paths.

Maybe I had simply overlooked this most important distinction in the error message: the message is referring to a *file*, not a *directory*.

Let's look at a clearer example of this problem. This is triggered in Symfony:

ErrorException in ExecutableFinder.php line 63:
is_executable(): open_basedir restriction in effect. File(/usr/share/php) is not within the allowed path(s): (/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/usr/local/zend/var/zray/extensions:/usr/local/zend/share:/usr/local/zend/var/plugins)

is_dir(): open_basedir restriction in effect. File(/srv/www/ is not within the allowed path(s): (/srv/www/

What is actually happening here is that Symfony is poking-around for PHP executable locations and calls `is_executable(/usr/share/php)`.

The reason for which the message is so confusing (in my opinion) is that the file for which Symfony is looking, `/usr/share/php`, actually points to a *directory* on many systems, such as Debian/Ubuntu GNU/Linux. Until I studied the message more carefully, I thought, "This is so strange... the very directory for which PHP is looking is the first one listed in the open_basedir directive!"

I suppose the important question is whether or not the \ErrorException message changes when I call is_dir('/usr/share/php') or scandir('/usr/share/php'). I will test this soon.

If not, then the message is ambiguous, and the underlying logic should really be reworked to make clear whether PHP is attempting to access a file or a directory. One might argue that there is no meaningful distinction between a file and a directory where the underlying mechanisms are concerned, but if that is true, the message is then invalid.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun May 16 16:01:23 2021 UTC