#32503 [Opn]: fopen() in cwd: filename must start with ./ under safe mode
ID: 32503 User updated by: Bjorn dot Wiberg at its dot uu dot se Reported By: Bjorn dot Wiberg at its dot uu dot se Status: Open Bug Type: Safe Mode/open_basedir Operating System: IBM AIX 5.2.0.0 ML5 PHP Version: 5.1.2 New Comment: Hi! I just confirmed that the same things happen with PHP 5.1.2. (Somehow my updating of this issue on January 16th seemed to have disappeared.) Best regards, Björn Previous Comments: [2005-12-19 17:46:22] Bjorn dot Wiberg at its dot uu dot se Hi sniper! Just wanted to tell you that for 5.1.1, the following holds: If the path to the file is not listable (r flag) all the way, one gets the following message: Warning: fopen(): open_basedir restriction in effect. File(a.txt) is not within the allowed path(s): (.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: Not owner in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 The same error occurs until one makes sure that the path all the way to the file is listable (r flag). Then, with the path all the way to the file listable (r flag), one gets, with "a.txt" and no existing file: /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 However, "./a.txt" and no existing file works fine. With "a.txt" and the file already existing, things work just fine. With "./a.txt" and the file already existing, things work just fine. Would it be OK to wait for 5.1.2, or have things related to this actually changed in the latest snapshot? (I just recompiled and installed 5.1.1, awaiting some possible input on or fixes to another bug, so I hope to recompile again sometime early next year.) Wishing you a Merry Christmas and a Happy New Year, and for putting up with me and my AIX troubles. :-) Best regards, Björn [2005-07-05 10:21:38] Bjorn dot Wiberg at its dot uu dot se (Thanks for fixing the mpm_common crash, that problem is gone now.) With #define HAVE_BROKEN_GETCWD 1 in php_config.h, and having made sure that the path up to the directory where the file is to be created has sufficient permissions, I still get the same error: /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Having the read (r) permission off for the "test" directory along the way: Warning: fopen(): open_basedir restriction in effect. File(a.txt) is not within the allowed path(s): (.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: Not owner in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Best regards, Björn [2005-05-09 14:15:53] Bjorn dot Wiberg at its dot uu dot se Hi again! I just tried the #define HAVE_BROKEN_GETCWD 1 trick from http://bugs.php.net/bug.php?id=32501, with PHP 5.0.4 (the "fixed" version) but that didn't help in this regard. I thought I would mention this. Best regards, Björn [2005-04-05 09:28:28] Bjorn dot Wiberg at its dot uu dot se Hi Tony! Thank you for your feedback! I'm afraid that absolute paths aren't a very viable solution to this, as that probably would break too many scripts, expecting it to be possible to "just" save a file to the current directory. Is the "PHP realpath hack" supposed to handle these kind of problems on AIX? Please let me know if I can help in any way! Best regards, Björn [2005-04-04 17:11:05] [EMAIL PROTECTED] Right, this is somehow concerned with broken realpath() on AIX. The problem is that we end up with relative path in php_checkuid_ex() function and it fails to check permissions for the directory. Of course, the easiest solution is to use absolute paths everywhere. The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/32503 -- Edit this bug report at http://bugs.php.net/?id=32503&edit=1
#32503 [Opn]: fopen() in cwd: filename must start with ./ under safe mode
ID: 32503 User updated by: Bjorn dot Wiberg at its dot uu dot se Reported By: Bjorn dot Wiberg at its dot uu dot se Status: Open Bug Type: Filesystem function related Operating System: IBM AIX 5.2.0.0 ML5 PHP Version: 5CVS-2005-07-05 New Comment: Hi again! (Thanks for fixing the mpm_common crash, that problem is gone now.) I'm pasting some test results (also used in bug #53201) here. All the following with #define HAVE_BROKEN_GETCWD 1 in main/php_config.h, and the following code (tests 1-4): "; $handle = fopen("a.txt", "w", false); if ( $handle != FALSE ) { fputs($handle, "testtext"); fclose($handle); } ?> ..and, respectively (tests 5-8): "; $handle = fopen("./a.txt", "w", false); if ( $handle != FALSE ) { fputs($handle, "testtext"); fclose($handle); } ?> 1. No existing "a.txt" file in the destination directory. With the "read" flag missing to the "test" directory along the path, and write permissions to the destination directory: Warning: fopen(): open_basedir restriction in effect. File(a.txt) is not within the allowed path(s): (.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: Not owner in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 No file gets created. getcwd() fails. 2. No existing "a.txt" file in the destination directory. Having both read and execute flags along the path, and write permissions to the destination directory: /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 No file gets created. But getcwd() correctly returns " /apache/htdocs/bwiberg/test/safemode". 3. No existing "a.txt" file in the destination directory. Trying with "./a.txt" instead, a missing "read" flag to the "test" directory along the path, and write permissions to the destination directory: No error message. The a.txt file gets correctly created, but getcwd() fails. 4. No existing "a.txt" file in the destination directory. Trying with "./a.txt", both "read" and "execute" flags along the path, and write permissions to the destination directory: No error message. The file gets correctly created, and getcwd() returns "/apache/htdocs/bwiberg/test/safemode". 5. Existing "a.txt" file in the destination directory. With the "read" flag missing to the "test" directory along the path, and write permissions to the destination directory: Warning: fopen(): open_basedir restriction in effect. File(a.txt) is not within the allowed path(s): (.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: Not owner in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 File does not get overwritten. getcwd() fails. 6. Existing "a.txt" file in the destination directory. Having both read and execute flags along the path, and write permissions to the destination directory: No error message. File gets overwritten correctly. getcwd() returns "/apache/htdocs/bwiberg/test/safemode". 7. Existing "a.txt" file in the destination directory. Trying with "./a.txt" instead, a missing "read" flag to the "test" directory along the path, and write permissions to the destination directory: No error message. File gets overwritten correctly, but getcwd() fails. 8. Existing "a.txt" file in the destination directory. Trying with "./a.txt", both "read" and "execute" flags along the path, and write permissions to the destination directory: No error message. File gets overwritten correctly. getcwd() returns "/apache/htdocs/bwiberg/test/safemode". I don't know if these results are useless because of the custom HAVE_BROKEN_GETCWD 1 setting? Perhaps the tests would need to be redone without that modification? Best regards, Björn Previous Comments: [2005-07-05 10:21:38] Bjorn dot Wiberg at its dot uu dot se (Thanks for fixing the mpm_common crash, that problem is gone now.) With #define HAVE_BROKEN_GETCWD 1 in php_config.h, and having made sure that the path up to the directory where the file is to be created has sufficient permissions, I still get the same error: /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Having the read (r) permission off for the "test" directory along the way: Warning: fopen(): open_basedir restriction in effect. File(a.txt) is not within the allowed path(s): (.:/apache/php/lib/php/:/apache/htdocs/bwiberg/) in /
#32503 [Opn]: fopen() in cwd: filename must start with ./ under safe mode
ID: 32503 User updated by: Bjorn dot Wiberg at its dot uu dot se Reported By: Bjorn dot Wiberg at its dot uu dot se Status: Open Bug Type: Filesystem function related Operating System: IBM AIX 5.2.0.0 ML5 PHP Version: 5CVS-2005-03-31 New Comment: Hi again! I just tried the #define HAVE_BROKEN_GETCWD 1 trick from http://bugs.php.net/bug.php?id=32501, with PHP 5.0.4 (the "fixed" version) but that didn't help in this regard. I thought I would mention this. Best regards, Björn Previous Comments: [2005-04-05 09:28:28] Bjorn dot Wiberg at its dot uu dot se Hi Tony! Thank you for your feedback! I'm afraid that absolute paths aren't a very viable solution to this, as that probably would break too many scripts, expecting it to be possible to "just" save a file to the current directory. Is the "PHP realpath hack" supposed to handle these kind of problems on AIX? Please let me know if I can help in any way! Best regards, Björn [2005-04-04 17:11:05] [EMAIL PROTECTED] Right, this is somehow concerned with broken realpath() on AIX. The problem is that we end up with relative path in php_checkuid_ex() function and it fails to check permissions for the directory. Of course, the easiest solution is to use absolute paths everywhere. [2005-04-01 16:32:32] Bjorn dot Wiberg at its dot uu dot se Tried php5-200503310630 (5.1.0-dev), but the problem is still present: /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 (Whereas "./a.txt" works just fine.) Best regards, Björn [2005-03-30 17:17:27] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-latest.tar.gz For Windows: http://snaps.php.net/win32/php5-win32-latest.zip [2005-03-30 14:37:04] Bjorn dot Wiberg at its dot uu dot se Description: Under safe mode, if one tries to create a new file with fopen(), specifying a filename without any path part in it (such as "./a.txt" or /apache/htdocs/bwiberg/test/safemode/a.txt"), fopen() fails, claiming that the file cannot be found. If the file already exists, everything works just fine. If you specify a path part ahead of the filename, everything works just fine. If you give fopen() "true" as a third argument, and make sure that your include_path includes "." as its FIRST path (if you have several directories in it), everything works just fine. (Perhaps the restriction of only trying the FIRST path should be mentioned in the docs as well.) I'm not sure if this problem is related to the earlier discussions of php_realpath_hack (that fix should be present as "_AIX" is set by gcc under AIX), but it sure poses a problem for scripts which rely on being able to create a file in the current directory without specifying any path. Another question is why $handle in the example script isn't set to FALSE if the open failed -- instead the error propagates to the fputs() part. I'd appreciate any input regarding this. Thanks in advance! Best regards, Björn Reproduce code: --- "; $handle = fopen("a.txt", "w", false); if ( $handle != FALSE ) { fputs($handle, "testtext"); fclose($handle); } ?> Expected result: /apache/htdocs/bwiberg/test/safemode (File a.txt gets created in current directory.) Actual result: -- /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 -- Edit this bug report at http://bugs.php.net/?id=32503&edit=1
#32503 [Opn]: fopen() in cwd: filename must start with ./ under safe mode
ID: 32503 User updated by: Bjorn dot Wiberg at its dot uu dot se Reported By: Bjorn dot Wiberg at its dot uu dot se Status: Open Bug Type: Filesystem function related Operating System: IBM AIX 5.2.0.0 ML5 PHP Version: 5CVS-2005-03-31 New Comment: Hi Tony! Thank you for your feedback! I'm afraid that absolute paths aren't a very viable solution to this, as that probably would break too many scripts, expecting it to be possible to "just" save a file to the current directory. Is the "PHP realpath hack" supposed to handle these kind of problems on AIX? Please let me know if I can help in any way! Best regards, Björn Previous Comments: [2005-04-04 17:11:05] [EMAIL PROTECTED] Right, this is somehow concerned with broken realpath() on AIX. The problem is that we end up with relative path in php_checkuid_ex() function and it fails to check permissions for the directory. Of course, the easiest solution is to use absolute paths everywhere. [2005-04-01 16:32:32] Bjorn dot Wiberg at its dot uu dot se Tried php5-200503310630 (5.1.0-dev), but the problem is still present: /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 (Whereas "./a.txt" works just fine.) Best regards, Björn [2005-03-30 17:17:27] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-latest.tar.gz For Windows: http://snaps.php.net/win32/php5-win32-latest.zip [2005-03-30 14:37:04] Bjorn dot Wiberg at its dot uu dot se Description: Under safe mode, if one tries to create a new file with fopen(), specifying a filename without any path part in it (such as "./a.txt" or /apache/htdocs/bwiberg/test/safemode/a.txt"), fopen() fails, claiming that the file cannot be found. If the file already exists, everything works just fine. If you specify a path part ahead of the filename, everything works just fine. If you give fopen() "true" as a third argument, and make sure that your include_path includes "." as its FIRST path (if you have several directories in it), everything works just fine. (Perhaps the restriction of only trying the FIRST path should be mentioned in the docs as well.) I'm not sure if this problem is related to the earlier discussions of php_realpath_hack (that fix should be present as "_AIX" is set by gcc under AIX), but it sure poses a problem for scripts which rely on being able to create a file in the current directory without specifying any path. Another question is why $handle in the example script isn't set to FALSE if the open failed -- instead the error propagates to the fputs() part. I'd appreciate any input regarding this. Thanks in advance! Best regards, Björn Reproduce code: --- "; $handle = fopen("a.txt", "w", false); if ( $handle != FALSE ) { fputs($handle, "testtext"); fclose($handle); } ?> Expected result: /apache/htdocs/bwiberg/test/safemode (File a.txt gets created in current directory.) Actual result: -- /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 -- Edit this bug report at http://bugs.php.net/?id=32503&edit=1
#32503 [Opn]: fopen() in cwd: filename must start with ./ under safe mode
ID: 32503 Updated by: [EMAIL PROTECTED] Reported By: Bjorn dot Wiberg at its dot uu dot se Status: Open Bug Type: Filesystem function related Operating System: IBM AIX 5.2.0.0 ML5 PHP Version: 5CVS-2005-03-31 New Comment: Right, this is somehow concerned with broken realpath() on AIX. The problem is that we end up with relative path in php_checkuid_ex() function and it fails to check permissions for the directory. Of course, the easiest solution is to use absolute paths everywhere. Previous Comments: [2005-04-01 16:32:32] Bjorn dot Wiberg at its dot uu dot se Tried php5-200503310630 (5.1.0-dev), but the problem is still present: /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 (Whereas "./a.txt" works just fine.) Best regards, Björn [2005-03-30 17:17:27] [EMAIL PROTECTED] Please try using this CVS snapshot: http://snaps.php.net/php5-latest.tar.gz For Windows: http://snaps.php.net/win32/php5-win32-latest.zip [2005-03-30 14:37:04] Bjorn dot Wiberg at its dot uu dot se Description: Under safe mode, if one tries to create a new file with fopen(), specifying a filename without any path part in it (such as "./a.txt" or /apache/htdocs/bwiberg/test/safemode/a.txt"), fopen() fails, claiming that the file cannot be found. If the file already exists, everything works just fine. If you specify a path part ahead of the filename, everything works just fine. If you give fopen() "true" as a third argument, and make sure that your include_path includes "." as its FIRST path (if you have several directories in it), everything works just fine. (Perhaps the restriction of only trying the FIRST path should be mentioned in the docs as well.) I'm not sure if this problem is related to the earlier discussions of php_realpath_hack (that fix should be present as "_AIX" is set by gcc under AIX), but it sure poses a problem for scripts which rely on being able to create a file in the current directory without specifying any path. Another question is why $handle in the example script isn't set to FALSE if the open failed -- instead the error propagates to the fputs() part. I'd appreciate any input regarding this. Thanks in advance! Best regards, Björn Reproduce code: --- "; $handle = fopen("a.txt", "w", false); if ( $handle != FALSE ) { fputs($handle, "testtext"); fclose($handle); } ?> Expected result: /apache/htdocs/bwiberg/test/safemode (File a.txt gets created in current directory.) Actual result: -- /apache/htdocs/bwiberg/test/safemode Warning: fopen(): Unable to access a.txt in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 Warning: fopen(a.txt): failed to open stream: No such file or directory in /apache/htdocs/bwiberg/test/safemode/write.php on line 5 -- Edit this bug report at http://bugs.php.net/?id=32503&edit=1