From: bjorn dot wiberg at home dot se Operating system: Debian GNU/Linux 3.0r2 (mixed) PHP version: 5.0.0b3 (beta3) PHP Bug Type: Apache2 related Bug description: open_basedir contains "." but script fails to include "./dir/file.txt"
Description: ------------ Using PHP for a virtual host, with open_basedir set to "." (a dot). When running a script that includes files in subdirectories relative to the script on the form "./dir/file.inc", those files fail to get included, and the error log says that those files are not withing the allowed path. Even though the open_basedir documentation says that "." should allow files in the current directory *and subdirectories* to be included. Setting open_basedir to include "./" fixes the problem. (I've now started to include ".:./" in my open_basedir to be on the "safe" side...) NOTE: This is not the same thing as bug #14396 (http://bugs.php.net/bug.php?id=14396) as I'm not using safe mode, and don't get the "wrong directory error" but instead the "is not within the allowed path(s)" error. SIDENOTE: Bug #26310 (http://bugs.php.net/bug.php?id=26310) has a very odd comment at the end; why would "./" be almost the same thing as not setting any open_basedir restrictions at all? I would say that "/" would be the same thing as not setting it at all, but not "./"... Reproduce code: --------------- I'm using phpMyAdmin 2.5.5-pl1 from: http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.5.5-pl1.tar.gz?download ...together with Apache 2.0.48-7 (apache2-mpm-worker, apache2-common, apache2-doc Debian packages) and PHP 5.0.0b3 as an Apache 2 SAPI module. At the moment I'm not running PHP in safe mode. I'm also more or less using the standard PHP config of php.ini-recommended, also locking some of its values with php_admin_value and php_admin_flag in main server config. Overriding doc_root, max_execution_time, memory_limit, open_basedir and safe_mode_exec_dir (a remainder from the time when I used safe mode) for each virtual host. Expected result: ---------------- No errors should appear in the Apache error log. The inclusion of files from the script should work. "." as open_basedir ought to allow inclusion both of files in the same directory as the script (i.e. include "file.txt" AND "./file.txt") and subdirectories (i.e. include "directory/file.txt" -- at least if "." is also in the include_path -- AND "./directory/file.txt"). Actual result: -------------- WITH OPEN_BASEDIR SET TO ".": [client 81.224.231.55] PHP Fatal error: main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/ [client 81.224.231.55] PHP Warning: main(): open_basedir restriction in effect. File(./libraries/grab_globals.lib.php) is not within the allowed path(s): (.) in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/queryframe.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792 [client 81.224.231.55] PHP Warning: main(./libraries/grab_globals.lib.php): failed to open stream: Operation not permitted in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/queryframe.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792 [client 81.224.231.55] PHP Fatal error: main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/queryframe.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792 [client 81.224.231.55] PHP Warning: main(): open_basedir restriction in effect. File(./libraries/grab_globals.lib.php) is not within the allowed path(s): (.) in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/left.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792 [client 81.224.231.55] PHP Warning: main(./libraries/grab_globals.lib.php): failed to open stream: Operation not permitted in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/left.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792 [client 81.224.231.55] PHP Fatal error: main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/left.php?lang=sv-iso-8859-1&server=1&hash=814ae4552105c8875600352b899733741075996792 [client 81.224.231.55] PHP Warning: main(): open_basedir restriction in effect. File(./libraries/grab_globals.lib.php) is not within the allowed path(s): (.) in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/main.php?lang=sv-iso-8859-1&server=1 [client 81.224.231.55] PHP Warning: main(./libraries/grab_globals.lib.php): failed to open stream: Operation not permitted in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/main.php?lang=sv-iso-8859-1&server=1 [client 81.224.231.55] PHP Fatal error: main(): Failed opening required './libraries/grab_globals.lib.php' (include_path='.:/usr/local/lib/php') in /mnt/storage/usr/lib/php-bin/vhosts/bwiberg.dyndns.org/admin/phpMyAdmin-2.5.5-pl1/css/phpmyadmin.css.php on line 7, referer: http://bwiberg.dyndns.org/php-bin/admin/phpMyAdmin/main.php?lang=sv-iso-8859-1&server=1 WITH OPEN_BASEDIR SET TO "./": [Thu Feb 05 17:08:00 2004] [notice] SIGUSR1 received. Doing graceful restart [Thu Feb 05 17:08:00 2004] [notice] Digest: generating secret for digest authentication ... [Thu Feb 05 17:08:00 2004] [notice] Digest: done [Thu Feb 05 17:08:00 2004] [notice] Apache configured -- resuming normal operations (That is, no errors appear.) -- Edit bug report at http://bugs.php.net/?id=27160&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=27160&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=27160&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=27160&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=27160&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=27160&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=27160&r=needscript Try newer version: http://bugs.php.net/fix.php?id=27160&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=27160&r=support Expected behavior: http://bugs.php.net/fix.php?id=27160&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=27160&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=27160&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=27160&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=27160&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=27160&r=dst IIS Stability: http://bugs.php.net/fix.php?id=27160&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=27160&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=27160&r=float
