php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #77979 open_basedir deprecation
Submitted: 2019-05-07 10:47 UTC Modified: 2019-05-08 09:17 UTC
From: spam2 at rhsoft dot net Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2019-05-07 10:47 UTC] spam2 at rhsoft dot net 
Description:
------------
can you guys please step back from trying to remove everything left and right in PHP 8.0? 

everybody knows that it's not bullet proof but it has it's value

the performance penalty is only because of the hardcoded nonsense instead a ini-option we patch out of PHP because with disable_functions="symlink" the race can't happen

until you fix the design of realpath cache it's worthless anyways
https://bugs.php.net/bug.php?id=73888

-------- Weitergeleitete Nachricht --------
Betreff: [PHP-DEV] open_basedir?
Datum: Tue, 7 May 2019 12:11:03 +0200
Von: Nikita Popov <nikita.ppv@gmail.com>
An: PHP internals <internals@lists.php.net>

Hi internals,

The open_basedir ini setting has two significant problems:

1. It is a major performance hit, because it disables the realpath cache.

2. Many people think it is a security feature and use it as such. However,
open_basedir is in reality a "best effort" mechanism, with known
workarounds and more regularly being found. Especially when it comes to
interactions with 3rd party libraries, enforcing open_basedir is simply
impossible.

What open_basedir tries to do must be implemented on the operating system
level to work reliably (and of course such mechanisms exist, such as jails,
chroot and friends).

I wonder if it is feasible to drop this ini setting? Enforcing this doesn't
really seem like any of PHP's business. If not, I think we need to at least

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-07 18:04 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Type: Security +Type: Bug -Package: *General Issues +Package: Safe Mode/open_basedir
 [2019-05-07 18:04 UTC] cmb@php.net 
Sigh
 [2019-05-08 09:16 UTC] spam2 at rhsoft dot net 
yeah, sigh

https://bugs.php.net/bug.php?id=73888

until that is fixed the whole realpath cache is useless and dangerous because clearstatcache() only affects the worker process which replaced the file and requests served by exatcly that process while other workers still have their autistic cache with no programmatic way to fix it 

it makes no sense at all that every php process maintains it's own authistic cache
 [2019-05-08 09:17 UTC] nikic@php.net
-Block user comment: No +Block user comment: Yes
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 26 22:01:29 2024 UTC