|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76894 imageftbbox - listing files outside of openbase_dir
Submitted: 2018-09-17 04:04 UTC Modified: 2018-09-17 15:14 UTC
From: fernando at null-life dot com Assigned:
Status: Open Package: GD related
PHP Version: 7.2.10 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-09-17 04:04 UTC] fernando at null-life dot com
When specifying a file that is outside of the openbasedir path, imageftbbox emits two warnings when the file used as a font exists, and only one when it doesn't. This allows to identify existing paths/files. I'm testing on Windows only.

For example: 

imageftbbox(10, 0, "C:\\windows", 'PHP');

Warning: imageftbbox(): open_basedir restriction in effect. File(c:\windows) is not within the allowed path(s): (C:\tools\phuzzer) in C:\tools\phuzzer\imageft.php on line 15

Warning: imageftbbox(): Invalid font filename in C:\tools\phuzzer\imageft.php on line 15

Test script:
php.exe -n -dopen_basedir=C:\tools\phuzzer -dextension=ext\php_gd2.dll imageft.php


function myErrorHandler($errno, $errstr, $errfile, $errline) {
  global $errorsgenerated;  
  $errorsgenerated = $errorsgenerated + 1;
  return true;


function file_exists_openbasedir($path) {
	global $errorsgenerated;
	$errorsgenerated = 0;
	imageftbbox(10, 0, $path, 'PHP');
	return $errorsgenerated > 1;

echo "c:\\anythingelse ".(file_exists_openbasedir("c:\\anythingelse") ? "exists" : "doesnt exist").PHP_EOL;
echo "c:\\windows ".(file_exists_openbasedir("c:\\windows")?  "exists" : "doesnt exist").PHP_EOL;

Expected result:
Same behavior regardless the file exists or no.

Actual result:
c:\anythingelse doesnt exist
c:\windows exists


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-09-17 15:14 UTC]
-Type: Security +Type: Bug
 [2018-09-17 15:14 UTC]
According to our security classification[1] this is not a
security issue, since it:

| requires the use of settings not recommended for production -
| ex. error reporting to output

It seems strange that ZTS versions do not issue the open_basedir
restriction warning for non-existant files, but since the other
warning is the result of a failing open_basedir check, that's a
minor issue.

[1] <>
 [2018-09-17 17:02 UTC] fernando at null-life dot com
Hi cmb, 

I think the argument regarding settings not recommended for production is not valid here, as you can see, even with display_errors=Off the code is still able to detect existing files/dirs out of the openbasedir path. 

If you don't want to clasify it as a security issue for any other reason, that's OK for me.

D:\FMS\fms\php7210ts>php.exe -n -dopen_basedir=d:\fms -ddisplay_errors=Off -dextension=ext\php_gd2.dll x.php
c:\anythingelse doesnt exist
c:\windows exists

As you mention, it only happens with the ZTS version, the NTS doesn't show this behaviour. Thanks"
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Thu Apr 15 11:01:24 2021 UTC