php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76836 misleading error message if open_basedir points to inaccessable target
Submitted: 2018-09-02 14:00 UTC Modified: 2018-09-02 20:55 UTC
From: bugs dot php dot net at register dot conactive dot com Assigned:
Status: Duplicate Package: Safe Mode/open_basedir
PHP Version: 7.2.9 OS: Ubuntu 16.04
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: bugs dot php dot net at register dot conactive dot com
New email:
PHP Version: OS:

 

 [2018-09-02 14:00 UTC] bugs dot php dot net at register dot conactive dot com
Description:
------------
This is NOT a security bug! It's only a very misleading error message.

Example:

open_basedir is set to /var/vmail/ (among other directories)
/var/vmail is drwxrwx---  9 vmail    vmail    4096 Sep  2 15:13 .
user.group for fpm pool is www-data.www-data
So, user/group www-data does not have access to it.

Trying to mkdir or write (file_put_contents) within that directory fails with message about open_basedir restriction (see below). However, this message is not correct. It fails because of insufficient permissions. It does NOT fail because of the open_basedir restriction!

If I change permissions to
/var/vmail is drwxrwx--x  9 vmail    vmail    4096 Sep  2 15:13 .
the misleading error message goes away and the file operation succeeds (if permissions in the target area below are correct).

Related to https://bugs.php.net/bug.php?id=69240, I suppose.

Expected result:
----------------
There should be an error message about missing permissions. There should be NO warning about open_basedir at all in this case, as it's wrong: the file is clearly within the allowed paths.
It would fail to enter that directory without open_basedir set as well!
It probably fails to find the dir because it's inaccessible to the pool. I think in this case it should emit a warning "directory does not exist" or something to that effect. But saying that x is not x in an error message is confusing.


Actual result:
--------------
I get a warning on all kinds of file operations (tried is_dir, mkdir, file_put_contents) that includes this text:

PHP Warning:  is_dir(): open_basedir restriction in effect. File(/var/vmail/sieve/whatever/whatever/whatever) is not within the allowed path(s): (...:/var/vmail/sieve/:...) in ....

file_put_contents adds a second message "failed to open stream: Operation not permitted" which might be fine, but the first warning is still wrong. The ...dir operations get only the open_basedir warning.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-09-02 14:11 UTC] spam2 at rhsoft dot net
YES error mesaages like "'b' is not within the allowed path 'b'" should really go away and indicate some sloppy code - in case of a not accsessable path othe whole extstence of open_basedir shouldn't be relevant and a clear error before all the checks stop execution
 [2018-09-02 20:55 UTC] requinix@php.net
-Status: Open +Status: Duplicate
 [2018-09-02 20:55 UTC] requinix@php.net
Duplicate of bug #52065 and others.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 12:01:30 2024 UTC