ID: 41518 Comment by: paul at moonkhan dot org Reported By: ruben dot willmes at emil2001 dot de Status: Assigned Bug Type: Safe Mode/open_basedir Operating System: Linux PHP Version: 5.2.2 Assigned To: tony2001 New Comment:
@Ruben Running PHP 5.2.3 on Redhat Enterprise Linux 4 I get the following: #php -d open_basedir=/tmp -r 'var_dump(file_exists("/tmp/nosuch"));' bool(false) But if I switch /tmp to /tmp/ (ie, with trailing slash): #php -d open_basedir=/tmp/ -r 'var_dump(file_exists("/tmp/nosuch"));' PHP Warning: file_exists(): open_basedir restriction in effect. File(/tmp/nosuch) is not within the allowed path(s): (/tmp/) in Command line code on line 1 Warning: file_exists(): open_basedir restriction in effect. File(/tmp/nosuch) is not within the allowed path(s): (/tmp/) in Command line code on line 1 bool(false) We can eliminate this problem in our environment if we remove the trailing slashes from our open_basedir settings but that's not how open_basedir was intended to work, since trailing slashes prevent "wildcarding". For example, "/tmp" matches "/tmpfoo" and "/tmpbar" but "/tmp/" should only match, well, /tmp/. -Paul Previous Comments: ------------------------------------------------------------------------ [2007-06-01 00:02:29] phpbugs at thequod dot de This might be related to bug #39123, where open_basedir=/tmp/ started to fail, as internally only "/tmp" (without trailing slash) got considered. (http://bugs.php.net/bug.php?id=39123) ------------------------------------------------------------------------ [2007-05-31 12:40:31] ruben dot willmes at emil2001 dot de Your example is correct, that does work, but what if you change the following: Instead of #php -d open_basedir=/tmp -r 'var_dump(file_exists("/tmp/nosuch"));' try #php -d open_basedir=/tmp/ -r 'var_dump(file_exists("/tmp/nosuch"));' Notice the slash behind "open_basedir=/tmp/". With that you get Warning: file_exists(): open_basedir restriction in effect. File(/tmp/ nosuch) is not within the allowed path(s): (/tmp/) in Command line code on line 1 bool(false) ------------------------------------------------------------------------ [2007-05-31 11:06:13] [EMAIL PROTECTED] I don't think I get what you're talking about: # ls -l /tmp/nosuch ls: cannot access /tmp/nosuch: No such file or directory #php -d open_basedir=/tmp -r 'var_dump(file_exists("/tmp/nosuch"));' bool(false) No warning whatsoever. ------------------------------------------------------------------------ [2007-05-30 20:20:58] ruben dot willmes at emil2001 dot de Sorry, but i have to reopen this bug again. Thx for the reply, Tony, but i don't think you understood me. I don't want to generally remove this error message, it's just under your OWN open_basedir, where you shouldn't get this message since you should be able to check whether the file exists under your OWN open_basedir, or am i wrong? Let's make an example: Two users, user1 and user2, both locked in their homedirs with open_basedir: /home/user1/ /home/user2/ Both have one file in their directory, let's call it test.php Now, if user1 checks whether test.php exists, he get's a true, as well as user2. If user1 checks user2's test.php, he'll get a false and an open_basedir warning since he's out of his open_basedir. That's correct. But what if user1 checks a file called test2.php under his own directory, /home/user1/? Should he get an open_basedir error? In my eyes he should only get a 'false' as the file does not exist, but no open_basedir warning, since he's still in his own open_basedir. In the recent PHP5 release (5.2.2) one get's an open_basedir warning if you check a non-existent file under your OWN open_basedir. In a previous release the message was not present (i think it was 5.2.0 or 5.2.1). so, please reconsider this bug ------------------------------------------------------------------------ [2007-05-29 20:39:47] [EMAIL PROTECTED] If we remove this warning for non-existent files, it could be possible to use file_exists() to detect which files exists (since it's perfectly legal to print this warning when the file exists). ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/41518 -- Edit this bug report at http://bugs.php.net/?id=41518&edit=1