|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79083 7.4.1 does not follow symlinks outside of documentroot while 7.4.0 does
Submitted: 2020-01-08 18:08 UTC Modified: 2020-02-27 14:11 UTC
Avg. Score:4.5 ± 0.5
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:2 (100.0%)
From: calimeroteknik at free dot fr Assigned:
Status: Not a bug Package: FPM related
PHP Version: 7.4.1 OS: Linux
Private report: No CVE-ID: None
 [2020-01-08 18:08 UTC] calimeroteknik at free dot fr
When I have a symbolic link in the path to a PHP file (could be a parent directory), which points outside of the DocumentRoot (apparently, this is what triggers the behavior) :

- with php-fpm 7.4.0 it works, the file renders.
- with php-fpm 7.4.1 I get the message "File not found." as the HTTP response, and "Primary script unknown" in the webserver's error log.

open_basedir was unset in this test.
Setting it to "/my/document/root:/path/to/symlink/destination" does not seem to change the results.

This was tested using php-fpm with apache 2.4.41 (event MPM) with no change in both cases.

Test script:
<?php phpinfo();


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-16 08:55 UTC]
-Status: Open +Status: Feedback
 [2020-01-16 08:55 UTC]
fpm has no notion of a "DocumentRoot" - it gets passed the absolute path from the webserver. It is therefore very likely your webserver resolves the symlink, not fpm.

You can verify this by enabling the fpm access.log and make sure it includes %f (the absolute script path). If this indicates an issue in PHP itself, please update this bug with relevant information
 [2020-01-21 17:59 UTC] calimeroteknik at free dot fr
Here is my test setup:
-rw-r--r-- /srv/http/phpinfo.php
lrwxrwxrwx /srv/http/symlink.php -> phpinfo.php
-rw-r--r-- /tmp/phpinfo.php
lrwxrwxrwx /srv/http/symlink2.php -> /tmp/phpinfo.php

Here is what access.log produces for the corresponding FPM pool:
- -  21/Jan/2020:18:46:42 +0100 "GET /phpinfo.php" 200
- -  21/Jan/2020:18:46:48 +0100 "GET /symlink.php" 200
- -  21/Jan/2020:18:52:20 +0100 "GET /symlink2.php" 404

Clearly, the webserver does not resolve the symlink, and php-fpm chooses to do so only when the target is within the document root, which is known to php-fpm since we see in the log that it has the query string.
 [2020-01-21 18:07 UTC] calimeroteknik at free dot fr
Oh wait. I misunderstood. Adding %f to the log format, here are the results:

access.format = "%R - %u %t \"%m %r\" %s \"%f\""

The log:
- -  21/Jan/2020:19:06:17 +0100 "GET /phpinfo.php" 200 "/srv/http/phpinfo.php"
- -  21/Jan/2020:19:06:29 +0100 "GET /symlink.php" 200 "/srv/http/symlink.php"
- -  21/Jan/2020:19:06:23 +0100 "GET /symlink2.php" 404 "-"

The webserver does not resolve the symlink, but we get "-" logged for %f.
 [2020-01-26 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2020-01-26 04:30 UTC]
-Status: No Feedback +Status: Open
 [2020-01-27 14:08 UTC] calimeroteknik at free dot fr
From the very beginning I wasn't sure if this was a bug: it might have been intended, although the changelog doesn't mention it.

As far as I'm concerned, it's inconvenient to be unable to have symlinks that point outside of the documentroot, and this came specifically from a PHP update.

I have no idea how to interpret the "-" for the "%f" field of php-fpm's access.log: at what point did the path become that dash and why?
 [2020-02-20 10:04 UTC] jkal at posteo dot eu
is it caused by the systemd service that runs php-fpm? around the time of that version change, the following option was added to the service definition on arch linux:
# The directories /home, /root and /run/user are made inaccessible and empty for processes
# invoked by this unit.
there is a similar option for the /tmp directory "PrivateTmp=true".
i experienced the behaviour explained in this bugreport, while my symlink pointed into /home.
 [2020-02-27 12:16 UTC] calimeroteknik at free dot fr
-Status: Open +Status: Closed
 [2020-02-27 12:16 UTC] calimeroteknik at free dot fr
Yes indeed, this surprise-behaviour was coming from the systemd unit file.

So in the end it's much the same as this:
 [2020-02-27 14:11 UTC]
-Status: Closed +Status: Not a bug
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Tue Mar 21 08:03:39 2023 UTC