php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74171 unexpected open_basedir restriction warning
Submitted: 2017-02-26 15:02 UTC Modified: 2017-02-26 16:57 UTC
From: nk dot hesam+php at gmail dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 5.6.30 OS: OSX, Ubuntu
Private report: No CVE-ID: None
View Developer Edit
 [2017-02-26 15:02 UTC] nk dot hesam+php at gmail dot com 
Description:
------------
very similar to Bug #41518 [https://bugs.php.net/bug.php?id=41518], but happening in a much narrower case.
consider following file structure exists:
- parent
 - folder1
  - image2.jpg
 - file.txt

with open_basedir enabled, consider one tries to perform file_exists($filename) with $filename within the permitted paths. three cases are presented:

- $filename = 'path/to/parent/folder1/image.jpg'
    file does not exists but the containing folder (folder1) does. file_exists() returns false as expected.

- $filename = 'path/to/parent/folder2/image.jpg'
    neither file nor it's containing folder (folder2) do not exist. file_exists() returns false as expected.

- $filename = 'path/to/parent/file.txt/image.jpg'
    the target file (image.jpg) does not exist but there is a file named file.txt, in this case when file_exists() tries to look into file.txt (it assumes it's a folder) an open_basedir restriction warning arises. file_exists() still returns false.

same thing happens with is_file and is_dir functions.
I've checked it on PHP 5.6.30 and 7.0.12 and same thing happens on both versions.


Test script:
---------------
ini_set('open_basedir', 'path/to/parent');

file_exists('path/to/parent/folder1/image.jpg'); // returns false
file_exists('path/to/parent/folder2/image.jpg'); // returns false
file_exists('path/to/parent/file.txt/image.jpg'); // returns false and causes open_basedir warning 

Expected result:
----------------
all three cases should return false without warning. as the given $filename to file_exists() function is located under allowed paths.

Actual result:
--------------
the third function call results in following warning:
Warning: file_exists(): open_basedir restriction in effect.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-02-26 15:13 UTC] spam2 at rhsoft dot net 
it's in general a shame that you need to use @file_exists(), @is_file() and @is_dir() tu supress warnings instead have PHP just shut up and return false if

a) it don't exist
b) the path is outside open_basdir no matter if it exists or not

b) is pretty clear because from the POV of the script it *don't exist*
 [2017-02-26 15:32 UTC] requinix@php.net
-Status: Open +Status: Duplicate
 [2017-02-26 15:32 UTC] requinix@php.net 
Duplicate of bug #52065 and many others.
http://news.php.net/php.internals/86301
 [2017-02-26 15:35 UTC] spam2 at rhsoft dot net 
and what does the "and many others" tell you?

for me it tells it's a real life problem for many developers, especially when someone dvelops on a sunshine environment without open_basedir and finally on a server with open_basedir opportunitic checks like file_exists('../something'); starting to flood logs for no good reason
 [2017-02-26 16:57 UTC] nk dot hesam+php at gmail dot com 
I did search before submitting but couldn't find anything but #41518. sorry about that.
And yep everything was fine until I deployed my system on a plesk shared server with open_basedir in action and the issue showed up. very hard to find and debug.
 [2018-01-18 20:12 UTC] charl dot xacra at gmail dot com 
Guys - really now, why publish such weirdness in php7 too? - I mean sure i would've understood if it were in PHP5 (or older) - but common now - I got sh!t at work because of this "oops" --which I did not create..

-look here it's very simple: no matter if you use a full-path or a relative path, PHP's path-resolve is either broken -or dumber than a retarded cockroach.

I'm working on a highly dynamic system -which also works with symlinks. Now PHP actually remembers my previous path-check (which goes fine) and on next refresh -BAM!! - "open_basedir" -bs.

..the worst part is there is nothing I can do about it but rant...
no google search, nothing on this ... once i loved PHP ... (past tense)
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Oct 25 13:00:01 2025 UTC