Hi! > The source of the problem is that the open_basedir will always leek > information about dirs that the user is not suppose to see (out of the > open_basedir restriction). The reason is that false value can indicate > that (more info in the PR or https://bugs.php.net/bug.php?id=65489 ). > However not sure if it's so big issue as no one should ever use > open_basedir in security context anyway... :)
The biggest problem with glob() was not security but the fact that it returned false on non-existing files when open_basedir is set, even when everything is inside open_basedir context. Ideally, glob() should return the same with and without open_basedir, with added restriction that if open_basedir disallows access to some dir/file, then this dir/file does not exist for the purposes of glob(). I'm not sure though if glob() does that right now completely or how hard it would be to fix it, I didn't look into it deeper. I just noticed that a very old bug was not fixed in 5.4/5.5 by mistake, and this bug makes usage of glob with open_basedir very annoying, as you can not use glob() in foreach() anymore. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
