php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79851 open_basedir no longer restricts access to http://
Submitted: 2020-07-13 12:38 UTC Modified: 2020-07-13 13:28 UTC
From: sjon@php.net Assigned: cmb (profile)
Status: Closed Package: Filesystem function related
PHP Version: 8.0.0alpha2 OS: archLinux
Private report: No CVE-ID: None
 [2020-07-13 12:38 UTC] sjon@php.net
Description:
------------
Previously open_basedir would prevent file-functions from accessing protocols such as http. It no longer does, and this change doesn't appear to be documented anywhere. This might simply need an entry in upgrading as is correct according to https://www.php.net/manual/en/function.fopen.php

originally found as https://3v4l.org/oLWdo

Test script:
---------------
$file = 'http://www.phpcodepad.com/index.php';
$newfile = 'example.txt';

copy($file, $newfile);

Expected result:
----------------
Warning: copy(): open_basedir restriction in effect. File(http://www.phpcodepad.com/index.php) is not within the allowed path(s): (/tmp:/in:/etc) in /in/oLWdo on line 5

Actual result:
--------------
Warning: copy(): php_network_getaddresses: getaddrinfo failed: Temporary failure in name resolution in /in/oLWdo on line 5

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-07-13 12:59 UTC] nikic@php.net
-Assigned To: +Assigned To: cmb
 [2020-07-13 12:59 UTC] nikic@php.net
This one probably isn't PHP 8 specific, just not rolled out on earlier branches yet. It's presumably introduced by https://github.com/php/php-src/pull/5237.

@cmb: The new behavior is correct, right?
 [2020-07-13 13:17 UTC] cmb@php.net
-Status: Assigned +Status: Feedback
 [2020-07-13 13:17 UTC] cmb@php.net
> The new behavior is correct, right?

In my opinion, yes.  Why should open_basedir affect HTTP URLs?

I don't even think this needs a special note (UPGRADING or such).
It's just a bug fix, isn't it?
 [2020-07-13 13:21 UTC] nikic@php.net
Yeah, seeing how this just matches the behavior with other functions like fopen(), I don't think special action is needed.
 [2020-07-13 13:28 UTC] sjon@php.net
-Status: Feedback +Status: Closed
 [2020-07-13 13:28 UTC] sjon@php.net
I agree, but I think some people will be bitten by this anyway which is why it might deserve a line in UPGRADING
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Fri Feb 03 07:05:52 2023 UTC