ID: 50063
Updated by: [email protected]
Reported By: christian at elmerot dot se
-Status: Open
+Status: Feedback
Bug Type: Safe Mode/open_basedir
Operating System: Debian Etch, Lenny
PHP Version: 5.3.0
New Comment:
Just to clarify: This does not happen with PHP 5.2.11 ?
Previous Comments:
------------------------------------------------------------------------
[2009-11-03 16:47:11] christian at elmerot dot se
"Actual output" should be:
Warning: require_once() [function.require-once]: SAFE MODE Restriction
in effect. The script whose uid is 35873 is not allowed to access
/usr/share/php/PEAR/Exception.php owned by uid 0 in /xxxx/peartest.php
on line 2
Warning: require_once(/usr/share/php/PEAR/Exception.php)
[function.require-once]: failed to open stream: No such file or
directory in /xxxx/peartest.php on line 2
Fatal error: require_once() [function.require]: Failed opening required
'PEAR/Exception.php' (include_path='.:/usr/share/php') in
/xxxx/peartest.php on line 2
And of course the file is there: ls -l
/usr/share/php/PEAR/Exception.php
-rw-r--r-- 1 root root 12818 Apr 29 2009
/usr/share/php/PEAR/Exception.php
------------------------------------------------------------------------
[2009-11-03 16:15:58] christian at elmerot dot se
Description:
------------
Using the following config options ignores the safe_mode_include_dir
and does a uid-check even though the php-file is in the
safe_mode_include_dir. This is likely still present in 5.3.1RC2
safe_mode = On
safe_mode_include_dir = /usr/share/php
include_path = ".:/usr/share/php"
The following code:
<?php
require_once("PEAR/Exception.php");
echo "OK";
?>
To me it appears that PHP 5.3.x now use a different code-path to open
files as the following patch against the function
php_plain_files_stream_opener 5.3.0 solves the issue for us as it
appears there is no safe_mode_include_dir-check although there is a
safe_mode uid-check:
--- main/streams/plain_wrapper.c 2009-11-03 15:52:59.414872711 +0100
+++ main/streams/plain_wrapper.c 2009-11-03 15:52:59.420045302 +0100
@@ -988,6 +988,10 @@
return NULL;
}
+ if ((php_check_safe_mode_include_dir(path TSRMLS_CC)) == 0) {
+ return php_stream_fopen_rel(path, mode, opened_path, options);
+ }
+
if ((options & ENFORCE_SAFE_MODE) && PG(safe_mode) &&
(!php_checkuid(path, mode, CHECKUID_CHECK_MODE_PARAM)))
return NULL;
Reproduce code:
---------------
<?php
require_once("PEAR/Exception.php");
echo "OK";
?>
Expected result:
----------------
OK
Actual result:
--------------
Warning: require() [function.require]: SAFE MODE Restriction in effect.
The script whose uid is 771909 is not allowed to access
/usr/share/php/PEAR/Exception.php owned by uid 0 in
/xxxxxxxxxxxxx/peartest.php on line 2
Warning: require(/usr/share/php/PEAR/Exception.php) [function.require]:
failed to open stream: No such file or directory in
/xxxxxxxxxxxxx/peartest.php on line 2
Fatal error: require() [function.require]: Failed opening required
'PEAR/Exception.php' (include_path='.:/usr/share/php') in
/xxxxxxxxxxxxx/peartest.php on line 2
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=50063&edit=1
