#20314 [NEW]: Varying open_basedir handling

Fri, 08 Nov 2002 09:09:25 -0800 

From:             [EMAIL PROTECTED]
Operating system: Solaris 7
PHP version:      4.2.3
PHP Bug Type:     *Directory/Filesystem functions
Bug description:  Varying open_basedir handling

Some basic data in advance:
All our servers run PHP 4.2.3 / Apache 1.3.27 / Solaris 7

Despite the fact that since 4.2.3 (at least that's when we discovered it)
an empty open_basedir (according to the manual access should not be
restricted at all that way) will randomly (maybe 5% of all requests) lead
to "open_basedir restriction in effect in line 0" meaning that the script
itself failed to open we discovered another strange effect of
open_basedir:

There are 2 virtual hosts: 1 parsing .php and 1 parsing .html for
php-code.
Both their open_basedir is set to the corresponding webserver-root plus
the additional directories "/tmp" and "/var/tmp".
On the first one (parsing .html) include("./test.txt") or even
include("test.txt") will not work (open_basedir restriction) unless we add
e.g. "te" to the open_basedir (adding "." does not work). In contrast
absolute paths do work fine.
On the second server all sorts of includes (from current directory, from
parent directory, from root) work as supposed and will not fail unless
they try to bypass the open_basedir.

As far as we've looked the issue up the only real difference between the 2
virtual hosts is that one parses for .html and has it's own user running
the server and the other is parsing for .php and is using the
standard-user (www).

Thanks in advance for any help or hints...


Matthias Fleischer


-- 
Edit bug report at http://bugs.php.net/?id=20314&edit=1
-- 
Try a CVS snapshot:         http://bugs.php.net/fix.php?id=20314&r=trysnapshot
Fixed in CVS:               http://bugs.php.net/fix.php?id=20314&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=20314&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=20314&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=20314&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=20314&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=20314&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=20314&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=20314&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=20314&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=20314&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=20314&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=20314&r=isapi

Reply via email to