From: info at directwebsolutions dot nl Operating system: Linux PHP version: Irrelevant Package: PHAR related Bug Type: Bug Bug description:Phar follows symlinks instead of adding them which causes problems
Description: ------------ --- >From manual page: http://www.php.net/phar.buildfromdirectory#refsect1-phar.buildfromdirectory-description --- Phar follows symlinks. Normally a backup of files would make a copy of the symlink file (which is normally 0 bytes) and add it to the tar. That is how the tar binary works. Phar follows the symlink and continues adding files outside the set 'buildFromDirectory'. Example: i execute $phar->buildFromDirectory('/home/user/public_html'); and there is a symlink named 'stats' which resolves to '/etc/stats/'. Phar then goes to /etc/stats and starts adding files to the tar package. In my opinion Phar should check if the complete filepath starts with the 'buildFromDirectory' first parameter and exclude files is not. This is especially on shared hosting platforms which open_basedir restriction a problem, but i would recommend to also fix this for all server configurations. It is also weird that if you look at the 'Actual Result' that for a humans eye the path IS WITHIN the allowed open_basedir directory, but actually it is OUTSIDE the open_basedir (/usr/...). Probably due to the symlink. Maybe a new parameter could be a solution: $phar->buildFromDirectory(..., [$follow_symlinks = true]); Test script: --------------- <? $phar = new PharData($localfilepath); $phar->compress(Phar::GZ); $phar->buildFromDirectory($localbackupdir); ?> Expected result: ---------------- SUCCESS - tar(gz) file created Actual result: -------------- Warning: RecursiveDirectoryIterator::hasChildren() [recursivedirectoryiterator.haschildren]: open_basedir restriction in effect. File(/home/user/awstats/icon) is not within the allowed path(s): (/home/user/:/tmp:/var/tmp:/usr/local/lib/php/) in file ... line .. Fatal error: Uncaught exception 'UnexpectedValueException' with message 'Iterator RecursiveIteratorIterator returned a path "/usr/local/awstats/icon" that is not in the base directory "/home/user"' in /home/user/tarscript.php:40 Stack trace: #0 /home/user/tarscript.php(40): PharData->buildFromDirectory('/home/user...') #1 {main} thrown in /home/user/tarscript.php on line 40 -- Edit bug report at https://bugs.php.net/bug.php?id=65332&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=65332&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=65332&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=65332&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=65332&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=65332&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=65332&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=65332&r=needscript Try newer version: https://bugs.php.net/fix.php?id=65332&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=65332&r=support Expected behavior: https://bugs.php.net/fix.php?id=65332&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=65332&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=65332&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=65332&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=65332&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=65332&r=dst IIS Stability: https://bugs.php.net/fix.php?id=65332&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=65332&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=65332&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=65332&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=65332&r=mysqlcfg
