Edit report at http://bugs.php.net/bug.php?id=46934&edit=1
ID: 46934 Updated by: [email protected] Reported by: kristof dot coomans at telenet dot be Summary: Unable to untighten open_basedir restriction -Status: Assigned +Status: Open Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: * PHP Version: 5.3CVS-2009-04-10 -Assigned To: pollita +Assigned To: Previous Comments: ------------------------------------------------------------------------ [2009-04-12 16:17:59] crrodriguez at opensuse dot org I think that allowing un-tightening is not a very good idea... <?php ini_set( 'open_basedir', $newBaseDir ); //good code ini_restore( 'open_basedir' ); //bad exploitable code here, "protection" useless... I think it should be allowed only once. ------------------------------------------------------------------------ [2009-04-10 17:49:31] [email protected] Sara, can you either confirm or fix it what Hannes said above? ------------------------------------------------------------------------ [2009-04-10 17:46:35] [email protected] See also bug #47945 ------------------------------------------------------------------------ [2008-12-27 23:46:10] [email protected] I don't think the plan was to allow un-tightening it again.. ------------------------------------------------------------------------ [2008-12-23 08:55:33] kristof dot coomans at telenet dot be Description: ------------ I'm testing the new feature introduced lately, namely "tightening" the open_basedir setting. This might be a very good security measure, to prevent relative directory traversal exploits. However, sometimes it is useful to tighten the path only for certain code, and untighten it again afterward to its original value. This doesn't seem to work currently. Reproduce code: --------------- <?php // original open_basedir value echo ini_get( 'open_basedir' ) . PHP_EOL; $newBaseDir = dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'var' . DIRECTORY_SEPARATOR; ini_set( 'open_basedir', $newBaseDir ); // new tightened open_basedir value echo ini_get( 'open_basedir' ) . PHP_EOL; // this will fail, as intended, because of the open_basedir restriction file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' ); ini_restore( 'open_basedir' ); // original open_basedir value again echo ini_get( 'open_basedir' ) . PHP_EOL; // this will stail fail, not intended file_put_contents( dirname( __FILE__ ) . DIRECTORY_SEPARATOR . 'test.txt', 'test 123 456' ); ?> Expected result: ---------------- The last call should be allowed, and a file test.txt should have been created in the same directory as the script. Actual result: -------------- Warning: file_put_contents(): open_basedir restriction in effect. File(C:\sites\ trunk\test.txt) is not within the allowed path(s): (░δรง☺♀) in ... Warning: file_put_contents(C:\sites\trunk\test.txt): failed to open stream: Operation not permitted in ... ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=46934&edit=1
