From: kristof dot coomans at telenet dot be Operating system: Windows XP PHP version: 5.3CVS-2008-12-23 (snap) PHP Bug Type: Safe Mode/open_basedir Bug description: Unable to untighten open_basedir restriction
Description: ------------ I'm testing the new feature introduced lately, namely "tightening" the open_basedir setting. This might be a very good security measure, to prevent relative directory traversal exploits. However, sometimes it is useful to tighten the path only for certain code, and untighten it again afterward to its original value. This doesn't seem to work currently. Reproduce code: --------------- <?php // original open_basedir value echo ini_get( 'open_basedir' ) . PHP_EOL; $newBaseDir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'var' . DIRECTORY_SEPARATOR; ini_set( 'open_basedir', $newBaseDir ); // new tightened open_basedir value echo ini_get( 'open_basedir' ) . PHP_EOL; // this will fail, as intended, because of the open_basedir restriction file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' ); ini_restore( 'open_basedir' ); // original open_basedir value again echo ini_get( 'open_basedir' ) . PHP_EOL; // this will stail fail, not intended file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' ); ?> Expected result: ---------------- The last call should be allowed, and a file test.txt should have been created in the same directory as the script. Actual result: -------------- Warning: file_put_contents(): open_basedir restriction in effect. File(C:\sites\ trunk\test.txt) is not within the allowed path(s): (░δรง☺♀) in ... Warning: file_put_contents(C:\sites\trunk\test.txt): failed to open stream: Operation not permitted in ... -- Edit bug report at http://bugs.php.net/?id=46934&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=46934&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=46934&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=46934&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=46934&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=46934&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=46934&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=46934&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=46934&r=needscript Try newer version: http://bugs.php.net/fix.php?id=46934&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=46934&r=support Expected behavior: http://bugs.php.net/fix.php?id=46934&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=46934&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=46934&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=46934&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=46934&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=46934&r=dst IIS Stability: http://bugs.php.net/fix.php?id=46934&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=46934&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=46934&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=46934&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=46934&r=mysqlcfg