Am 28.09.2011 00:16, schrieb Ángel González: > Reindl Harald wrote: >> below a correct open_basedir restriction >> >> but why can fopen() create this file outside the >> basedir and after that the restriction is active? >> >> this means in other words: fopen() can empty files outside the basedir >> if their permissions are open enough >> >> Sep 27 10:53:26 open_basedir restriction in effect. File(/tmp/rhcsvz8QeBL) >> is not within the allowed path(s): >> (/etc/httpd/conf/panel:/Volumes/dune/www-servers/phpincludes:/usr/share/pear) >> Sep 27 10:53:26 PHP Warning: fopen(/tmp/rhcsvz8QeBL): failed to open stream: >> Operation not permitted in >> /Volumes/dune/www-servers/phpincludes/global_rh_csv.inc.php on line 2 >> >> [root@arrakis:~]$ stat /tmp/rhcsvz8QeBL >> File: „/tmp/rhcsvz8QeBL“ > Are you sure it is the fopen() what is making it? > I think that some other function/extension may be creating the temporary file > /tmp/rhcsvz8QeBL for you to open, which then fails due to the open_basedir.
errata - it is tempnam() if $dir is not writeable which falls back to /tmp this fallback should not happen if /tmp is NOT in open_basedir and tempname() should spit out the error instead the following fopen() better would be if tempnam() stops and gives out a warning that $dir is not writeable - it had a reason that the $dir param was used and if there is an error it is a bad behavior that php takes something else we are speaking about a programming language and not a gambling machine :-)
signature.asc
Description: OpenPGP digital signature
