Edit report at https://bugs.php.net/bug.php?id=65188&edit=1
ID: 65188 Updated by: johan...@php.net Reported by: lennsen at chello dot at Summary: Undocumented change for open_basedir restrictions -Status: Open +Status: Not a bug Type: Bug Package: *Directory/Filesystem functions Operating System: Linux PHP Version: 5.4.16 Block user comment: N Private report: N New Comment: Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php This was a security discussion around CVE-2010-3436. I don't know if there is a public summary of the "open_basedir minor flaw" security thread from 28 Sep 2010. Previous Comments: ------------------------------------------------------------------------ [2013-07-03 00:44:25] lennsen at chello dot at Description: ------------ Between 5.3 and since 5.4 (also 5.5) there was a significant change for its reasons I am not aware of. If there is some directory e.g. /somedir having a script e.g. index.php then in 5.3 (and lower) it was possible to call this file by setting an apache document root there and if only read access was required, then one could call that vhost with /somedir/index.php without the need of having /somedir within open_basedir e.g. http://somedir.domain.com/index.php since 5.4 this is not possible any more, it returns an error with open_basedir restriction in effect and that the stream could not be opened I tested this with the very same systems (on 3 different ones), same configure options, same php.ini - the only difference was the PHP version, confirmed with 5.3 (working), 5.4.16, 5.5.0 (both not working) I guess that it might have something to do with the removal of safe_mode and its checks, perhaps the modifications for the core caused this change, but I can not tell for sure. As far as possible I adapted the following files from 5.3 to 5.4 by comparison and removing/adding lines to make them work as close as possible to 5.3 main/fopen_wrappers.c main/streams/streams.c main/fopen_wrappers.c main/streams/plain_wrapper.c ext/standard/php_fopen_wrapper.c ext/standard/basic_functions.c ext/standard/filestat.c ext/standard/file.c -- This is just a hint and might not mean anything, but after adapting these files (this was mostly possible until interface changes had to be made, causing gcc/make to abort) I did not see any change in behavior. The given error is "No input file specified." (sapi fcgi is in use) and error_log gives the following errors: PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 PHP Warning: Unknown: open_basedir restriction in effect. File(/somedir/index.php) is not within the allowed path(s): (/restricted_1/:/restricted_2/) in Unknown on line 0 This also might have to do something with the SAPI. The main reason behind this is: - I want to be able to use such a vhost, the php files should be -execute-only-, so opening and parsing index.php from within the browser should be possible - at the same time, due to the missing entry of /somepath in open_basedir, one must not be able to open /somepath/index.php with e.g. fopen, to see the file's contents (the plain PHP code) This worked very fine until 5.3. A solution or alternative to achieve these 2 requirements would be great since I can not stay with 5.3 forever. Please do not suggest code compiling with e.g. Zend Optimizer, RoundCube or similar. Individual changes in PHP's C source is an option if no generic solution is available. configuration: - open_basedir = "/restricted_1/:/restricted_2/" - read/write access available for GID and UID - no SELinux - phpcgi and httpd are being executed with same GID and GID as the file Expected result: ---------------- opening the resource, http://somedir.domain.com/index.php leads to opening & parsing the file Actual result: -------------- fails to open resource, http://somedir.domain.com/index.php says 'No input file specified. ' error_log contains 2 errors: PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0 PHP Warning: Unknown: open_basedir restriction in effect. File(/somedir/index.php) is not within the allowed path(s): (/restricted_1/:/restricted_2/) in Unknown on line 0 ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=65188&edit=1
