open_basedir issue on php-5.2.13

Need help installing PHP, configuring a script, or configuring a server? Then come on in and post your questions! We'll try to help the best we can!

Moderator: General Moderators

Post Reply
mst0ne
Forum Newbie
Posts: 1
Joined: Thu Mar 04, 2010 11:33 pm

open_basedir issue on php-5.2.13

Post by mst0ne »

Hi,

After compiling the php-5.2.13 on the server, open_basedir module is showing errors,
Tue Mar 02 11:09:12 2010] [error] PHP Warning: require() [<a href='function.require'>function.require</a>]: open_basedir restriction in effect. File() is not within the allowed path(s): (/var/www/html:/home/www/html:/usr/share/pear:/tmp) in /home/www/html/reviews/index.php on line 23
[Tue Mar 02 11:09:12 2010] [error] PHP Fatal error: Can't load pp-inc.php, open_basedir restriction. in /home/www/html/reviews/index.php on line 23
open_basedir configuration on php.ini
--------------------------------------------------------------
open_basedir => .:/var/www/html:/usr/share/pear:/tmp:/home/www/html => .:/var/www/html:/usr/share/pear:/tmp:/home/www/html

There have been no change in the code or the settings. There have been an important security patch implemented on php-5.2.13 for safe_mode and open_basedir.
Fixed a possible open_basedir/safe_mode bypass in the session extension identified by Grzegorz Stachowiak. (Ilia)
Have any one encountered this issue. I need to confirm if this is a bug so that I can report it in http://bugs.php.net.

Thanks!
Michael Stone
validator
Forum Newbie
Posts: 1
Joined: Sat Mar 06, 2010 6:02 am

Re: open_basedir issue on php-5.2.13

Post by validator »

Looks like this is a real bug. I have run into the same problem on my server. I currently use 5.2.12 with the tempnam safe mode patch.

Code: Select all

 
Index: file.c
===================================================================
--- file.c      (revision 294764)
+++ file.c      (working copy)
@@ -828,7 +828,7 @@
        convert_to_string_ex(arg1);
        convert_to_string_ex(arg2);
 
-       if (PG(safe_mode) &&(!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_ALLOW_ONLY_DIR))) {
+       if (PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(arg1), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
                RETURN_FALSE;
        }
 
file.c is in the src directory ext/standard. From 5.2.12 to 5.2.13 only file.c was changes in ext/standard/*.c (except from the copyright and version header). Not sure where they made the change in the open_basedir handling. Maybe the function php_check_open_basedir() is the problem.

It looks 5.2.13 can not resolve relative paths to absolute paths and compare them with the open_basedir definition correctly. I have found this problem in one of my Drupal instances which use symbolic links. All symbolic links point to locations which are allowed/included in open_basedir.
ch_larsen
Forum Newbie
Posts: 1
Joined: Wed Jun 02, 2010 3:51 am

Re: open_basedir issue on php-5.2.13

Post by ch_larsen »

Dear All,

Since I have updated my PHP version from 5.2.12 to 5.2.13 on my FreeBSD server, I have encountered the same problem. Interestingly, it does not make any difference, whether the open_basedir settings are set in php.ini, or in the domain-specific php-fpm.conf file: In any case, ANY entry other than an empty one creates an open_basedir error WITHOUT mentioning the file that is not accessible (i.e. very much different from typical open-basedir errors) - crazy:
Fatal error: Can't load ./sites/all/modules/views/theme/views-view-fields.tpl.php, open_basedir restriction. in /usr/local/www/drupal-6.16/includes/theme.inc on line 1066
Seems this is either a bug, or I am missing something very basic. Any help would be greatly appreciated.

Thanks a lot,

Chris
Post Reply