ID: 39073
User updated by: jim at centerfuse dot net
Reported By: jim at centerfuse dot net
Status: Open
Bug Type: Safe Mode/open_basedir
Operating System: FreeBSD 4.11
PHP Version: 5.1.6
New Comment:
This bug does not seem to affect require_once(), require(), or
include(), which are still able to access the file from a different UID
(as long as safe_mode_include_dir is set as it should be). However,
other file operations such as file_exists and fopen fail. In the
example below, note that the include() succeeds because the output does
say "this is the test file"
====
CODE
====
//
// safe_mode_include_dir is /home/php_include_test
//
// the file /home/php_include_test/test
// simply says "this is the test file<br />"
$test_file = '/home/php_include_test/test';
include($test_file);
if ( file_exists($test_file) ) {
echo 'Test file exists.<br />';
}
else {
echo 'Test file does not exist<br />';
}
if ( is_readable($test_file) ) {
echo 'Test file is readable.<br />';
}
else {
echo 'Test file not readable<br />';
}
if ( $fp = fopen($test_file, 'r') ) {
echo 'Test file opened for read.<br />';
fclose($fp);
}
else {
echo 'Test file could not be opened for read<br />';
}
=======
OUTPUT
=======
this is the test file
Test file does not exist
Test file not readable
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The
script whose uid is 1010 is not allowed to access
/home/php_include_test/test owned by uid 0 in
/home/www/jim/public_html/jimtest.php on line 21
Warning: fopen(/home/php_include_test/test) [function.fopen]: failed to
open stream: Inappropriate ioctl for device in
/home/www/jim/public_html/jimtest.php on line 21
Test file could not be opened for read
Previous Comments:
------------------------------------------------------------------------
[2006-10-07 09:19:06] jim at centerfuse dot net
get_cfg_var() and ini_get() both return the correct
safe_mode_include_dir, but it seems to just be ignored. Just for good
measure, I also tried using a different directory altogether, but got
the same results.
------------------------------------------------------------------------
[2006-10-07 08:10:57] jim at centerfuse dot net
note, the trailing parentheses that appears in my reproduce code after
the safe_mode_include_dir is *not* present in php.ini, it was a typo.
------------------------------------------------------------------------
[2006-10-07 08:09:58] jim at centerfuse dot net
Description:
------------
Just upgraded to php 5.1.6, and safe_mode_include_dir doesn't appear to
be honored. I'm running with safe mode = On and one directory in the
include_dir. Trying to include/fopen/etc any file from that directory
results in a safemode UID restriction. phpinfo() shows that PHP is
reading the correct configuration file and that it knows about
safe_mode_include_dir.
Reproduce code:
---------------
//in php.ini: safe_mode_include_dir = "/usr/local/share/FUSE")
$fp = fopen('/usr/local/share/FUSE/FUSE-main.php', 'r')
Expected result:
----------------
fopen should return file pointer
Actual result:
--------------
Warning: fopen() [function.fopen]: SAFE MODE Restriction in effect. The
script whose uid is 1006 is not allowed to access
/usr/local/share/FUSE/FUSE-main.php owned by uid 0 in
/home/context/public_html/test.php on line 13
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=39073&edit=1
