From: lennsen at chello dot at Operating system: Linux PHP version: 5.4.16 Package: *Directory/Filesystem functions Bug Type: Bug Bug description:Undocumented change for open_basedir restrictions
Description: ------------ Between 5.3 and since 5.4 (also 5.5) there was a significant change for its reasons I am not aware of. If there is some directory e.g. /somedir having a script e.g. index.php then in 5.3 (and lower) it was possible to call this file by setting an apache document root there and if only read access was required, then one could call that vhost with /somedir/index.php without the need of having /somedir within open_basedir e.g. http://somedir.domain.com/index.php since 5.4 this is not possible any more, it returns an error with open_basedir restriction in effect and that the stream could not be opened I tested this with the very same systems (on 3 different ones), same configure options, same php.ini - the only difference was the PHP version, confirmed with 5.3 (working), 5.4.16, 5.5.0 (both not working) I guess that it might have something to do with the removal of safe_mode and its checks, perhaps the modifications for the core caused this change, but I can not tell for sure. As far as possible I adapted the following files from 5.3 to 5.4 by comparison and removing/adding lines to make them work as close as possible to 5.3 main/fopen_wrappers.c main/streams/streams.c main/fopen_wrappers.c main/streams/plain_wrapper.c ext/standard/php_fopen_wrapper.c ext/standard/basic_functions.c ext/standard/filestat.c ext/standard/file.c -- This is just a hint and might not mean anything, but after adapting these files (this was mostly possible until interface changes had to be made, causing gcc/make to abort) I did not see any change in behavior. The given error is "No input file specified." (sapi fcgi is in use) and error_log gives the following errors: PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 PHP Warning: Unknown: open_basedir restriction in effect. File(/somedir/index.php) is not within the allowed path(s): (/restricted_1/:/restricted_2/) in Unknown on line 0 This also might have to do something with the SAPI. The main reason behind this is: - I want to be able to use such a vhost, the php files should be -execute-only-, so opening and parsing index.php from within the browser should be possible - at the same time, due to the missing entry of /somepath in open_basedir, one must not be able to open /somepath/index.php with e.g. fopen, to see the file's contents (the plain PHP code) This worked very fine until 5.3. A solution or alternative to achieve these 2 requirements would be great since I can not stay with 5.3 forever. Please do not suggest code compiling with e.g. Zend Optimizer, RoundCube or similar. Individual changes in PHP's C source is an option if no generic solution is available. configuration: - open_basedir = "/restricted_1/:/restricted_2/" - read/write access available for GID and UID - no SELinux - phpcgi and httpd are being executed with same GID and GID as the file Expected result: ---------------- opening the resource, http://somedir.domain.com/index.php leads to opening & parsing the file Actual result: -------------- fails to open resource, http://somedir.domain.com/index.php says 'No input file specified. ' error_log contains 2 errors: PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 PHP Warning: Unknown: open_basedir restriction in effect. File(/somedir/index.php) is not within the allowed path(s): (/restricted_1/:/restricted_2/) in Unknown on line 0 -- Edit bug report at https://bugs.php.net/bug.php?id=65188&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=65188&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=65188&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=65188&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=65188&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=65188&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=65188&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=65188&r=needscript Try newer version: https://bugs.php.net/fix.php?id=65188&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=65188&r=support Expected behavior: https://bugs.php.net/fix.php?id=65188&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=65188&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=65188&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=65188&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65188&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=65188&r=dst IIS Stability: https://bugs.php.net/fix.php?id=65188&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=65188&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=65188&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=65188&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=65188&r=mysqlcfg