#24516 [NEW]: subset open_basedir in .htaccess and block users from opening files

Sun, 06 Jul 2003 18:07:36 -0700 

From:             mphh at bandignition dot tk
Operating system: All
PHP version:      Irrelevant
PHP Bug Type:     Feature/Change Request
Bug description:  subset open_basedir in .htaccess and block users from opening files

Description:
------------
Could someone find a way so that files (i.e., .htaccess, .httpd) could be
block from opening by a user and that open_basedir can be set on a
per-directory while still enforceing the open_basedir set in .httpd or
php.ini.

Reproduce code:
---------------
php.ini:
open_basedir = "/usr/home/public_html/"
deny_open_files = ".htaccess,.httpd"

.htaccess (#1):
php_flag open_basedir = "/usr/home/public_html/some/dir/"

.htaccess (#2):
php_flag open_basedir = "/"

script1.php:
<?php
$fp=fopen("text.txt", "w");
fwrite($fp, "nice text");
fclose($fp);
echo "file writing done";
?>

script2.php:
<?php
$fp=fopen(".htaccess", "w");
fwrite($fp, "evil code");
fclose($fp);
echo "evil done";
?>

Expected result:
----------------
.htaccess (#1) will work while,
.htaccess (#2) will not.

and

script1.php will return:
file writing done

and script2.php will return:
Error: fopen(): You are not allowed to open that file for security resons.


-- 
Edit bug report at http://bugs.php.net/?id=24516&edit=1
-- 
Try a CVS snapshot:         http://bugs.php.net/fix.php?id=24516&r=trysnapshot
Fixed in CVS:               http://bugs.php.net/fix.php?id=24516&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=24516&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=24516&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=24516&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=24516&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=24516&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=24516&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=24516&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=24516&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24516&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=24516&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=24516&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=24516&r=gnused

Reply via email to