ID: 19292
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
Status: Critical
Bug Type: Apache related
Operating System: linux
-PHP Version: 4.3.0-dev,4.2.3
+PHP Version: 4.2.3,4.3.0
New Comment:
Update version. Bug confirmed in 4.3.0 - final.
Previous Comments:
------------------------------------------------------------------------
[2003-01-10 03:17:18] [EMAIL PROTECTED]
Is somebody working on this critical bug in php 4.3.0??
Bug was opened 8 sep and now it isn't even the same year...
This is a severe problem for all hosting companies since they have to
turn of open_basedir to get things going without errors.
------------------------------------------------------------------------
[2003-01-09 12:42:13] [EMAIL PROTECTED]
I have just tried to EXPLICITLY set "php_admin_flag safe_mode off" to
ALL virtual hosts, which should not be restricted with safe mode and it
seems to help. So the problem is here only when I rely on the default
setting in php.ini file (where I have safe mode off by default) and
when there is AT LEAST one virtual host with safe_mode enabled.
------------------------------------------------------------------------
[2003-01-09 12:36:48] [EMAIL PROTECTED]
If a have one virt. host with safe_mode turned on and the other one
with safe_mode off, the SECOND one (with safe_mode off from default ini
setting) sometimes seems to have safe_mode turned on, until next
reload. When I tried to replace safe_mode with open_basedir
restrictions, this problem was the same one, which is described above.
------------------------------------------------------------------------
[2003-01-09 04:36:33] [EMAIL PROTECTED]
I wrote regression tests for safe mode recently which trigger this bug
reliably when upgrading to 4.3.0 from 4.2.2 on Apache 2.0.40. In the
Apache config I use: (erring on the side of verbosity)
<Directory /local/qa/perl-framework/t/htdocs/php/safemode>
php_admin_value safe_mode 1
php_admin_value safe_mode_exec_dir /bin
php_admin_value open_basedir /
php_admin_value display_errors 0
php_admin_value log_errors 1
php_admin_value safe_mode_allowed_env_vars FOO_
php_admin_value safe_mode_protected_env_vars FOO_FEE
</Directory>
Then:
/local/qa/perl-framework/t/htdocs/php/safemode/readfile.php contains:
<?php readfile("/etc/passwd"); ?>
The server error log gets this output for the script:
PHP Warning: Unknown(): open_basedir restriction in effect.
File(/local/qa/perl-framework/t/htdocs/php/safemode/readfile.php) is
not within the allowed path(s): (/) in Unknown on line 0
PHP Warning:
Unknown(/local/qa/perl-framework/t/htdocs/php/safemode/readfile.php):
failed to create stream: Operation not permitted in Unknown on line 0
PHP Warning: Unknown(): Failed opening
'/local/qa/perl-framework/t/htdocs/php/safemode/readfile.php' for
inclusion (include_path='.:/usr/share/pear') in Unknown on line 0
------------------------------------------------------------------------
[2003-01-06 11:29:06] [EMAIL PROTECTED]
Getting totally wrong dir in the output of the error mess
open_basedir restriction in effect. File(index.php) is not within the
allowed path(s): (/home/userB)
Getting this error when surfing to userA which has open_basedir set to
/home/userA in apache virthost, one gets that access to userB home
isn't granted.
This might not be a fault in the open_basedir code, but for some reason
it get's the wrong open_basedir dir from the calling function.
If someone could take a deeper look at this it would be nice, hard to
explain to all customers that this problem is out of our hands to fix.
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/19292
--
Edit this bug report at http://bugs.php.net/?id=19292&edit=1
