ID: 14076
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Feedback
Bug Type: *Directory/Filesystem functions
Operating System: Linux
PHP Version: 4.0.6
New Comment:
Unfortunately this bug is *not* fixed in 4.2.0rc1.
I can reproduce both problems (fopen fails if file does not exist /
safe_mode_includedir does not work). If I use "real" path statements
(e.g. /mnt/hda7/web/file.php instead of /var/web/file.php) everything
works fine (please see my previous posts to #14076)
Let me know if I can help with more tests or debug output. It would be
very nice to have this problem fixed in the next release.
Hajo
Previous Comments:
------------------------------------------------------------------------
[2002-04-03 11:59:12] [EMAIL PROTECTED]
This should be fixed. Please see www.php.net/~derick for the latest RC
for 4.2.0m, and report back.
Derick
------------------------------------------------------------------------
[2002-04-03 11:56:31] [EMAIL PROTECTED]
This bug still exists in PHP 4.1.2.
A similiar problem also affects safe_mode_include_dir (path-statements
containing symlinks do not work: "The script whose uid is 1234 is not
allowed to access /my/safe_mode_include_path/with/symlink/mail.php
owned by uid 0").
Could someone *please* fix this ?
Hajo
------------------------------------------------------------------------
[2002-01-17 14:59:12] [EMAIL PROTECTED]
I've verified that this problem still exists in PHP 4.1.1.
Hajo Noerenberg
------------------------------------------------------------------------
[2002-01-16 13:42:52] [EMAIL PROTECTED]
As a workaround you can use relative paths in all of
your fopen()-calls: fopen("./test.html") always works
(I think php prepends the *expanded path* then -- see
the last paragraph in my previous comment).
Hajo
------------------------------------------------------------------------
[2002-01-16 13:21:11] [EMAIL PROTECTED]
This problem has nothing to do with wrong file/directory modes. I'm
quite sure that it is a bug in the PHP-realpath-code.
Please consider the following setup layout:
/var/www/ = symlink to /mnt/sda1/www
/var/www/domain.com = apache document_root = php open_basedir
/var/www/domain.com/test.html = test file for fopen()
I've added some debug code to fopen_wrappers.c :
php_error(E_NOTICE, "check_specific_open_basedir ( comparing resolved
name %s to resolved_basedir %s )", resolved_name, resolved_basedir);
if (strncmp(resolved_basedir, resolved_name, strlen(resolved_basedir))
== 0) {
Trying to fopen("/var/www/domain.com/test.html") results
in two cases:
1. /var/www/domain.com/test.html already exists
PHP Warning: check_specific_open_basedir ( comparing resolved name
/mnt/sda1/www/domain.com/test.html to resolved_basedir
/mnt/sda1/www/domain.com/test.html )
-> fopen() succeeds
2. /var/www/domain.com/test.html does *not* exist
PHP Warning: check_specific_open_basedir ( comparing resolved name
/var/www/domain.com/test.html to resolved_basedir
/mnt/sda1/www/domain.com/test.html )
-> fopen() fails with "open basedir restriction in effect"-error
As you can see in the debug output, PHP does not correctly
expand the file path if the file does not exists !
Trying to fopen("/mnt/sda1/www/domain.com/test.html") always
succeeds because PHP does not need to expand the filename anymore
(-> strncmp is always true ).
Hajo
(Linux 2.2 - PHP 4.0.6 - afaik the problem still exists in 4.1.X)
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/14076
--
Edit this bug report at http://bugs.php.net/?id=14076&edit=1
