Reindl Harald wrote:
below a correct open_basedir restriction
but why can fopen() create this file outside the
basedir and after that the restriction is active?
this means in other words: fopen() can empty files outside the basedir
if their permissions are open enough
Sep 27 10:53:26 open_basedir restriction in effect. File(/tmp/rhcsvz8QeBL) is
not within the allowed path(s):
(/etc/httpd/conf/panel:/Volumes/dune/www-servers/phpincludes:/usr/share/pear)
Sep 27 10:53:26 PHP Warning: fopen(/tmp/rhcsvz8QeBL): failed to open stream:
Operation not permitted in
/Volumes/dune/www-servers/phpincludes/global_rh_csv.inc.php on line 2
[root@arrakis:~]$ stat /tmp/rhcsvz8QeBL
File: „/tmp/rhcsvz8QeBL“
Are you sure it is the fopen() what is making it?
I think that some other function/extension may be creating the temporary
file
/tmp/rhcsvz8QeBL for you to open, which then fails due to the open_basedir.
What version are you running ? Can you try to isolate the problem?
A simple test like:
<?php
ini_set('open_basedir', '/var/tmp/');
$f = fopen("/tmp/foo.txt", "w");
Does *not* create such file.
It is possible to create a file there with*tmpfile(), but just because that's
the
default location for temporary files. You can't change the folder from a
malicious
script, and the files are removed at the end of the script, so it is arguable
as a
basedir bypass.
*
Can you create a testcase that leaks such file?
