PHP :: Bug #41492 :: open_basedir bypass via readfile()

Bug #41492	open_basedir bypass via readfile()
Submitted:	2007-05-24 15:55 UTC	Modified:	2007-05-27 17:33 UTC
From:	bugs dot php dot net at chsc dot dk	Assigned:
Status:	Closed	Package:	Safe Mode/open_basedir
PHP Version:	5.2.2	OS:	Linux
Private report:	No	CVE-ID:	None

[2007-05-24 15:55 UTC] bugs dot php dot net at chsc dot dk

Description:
------------
file_exists() etc. does not allow checking the existence of files outside the directories specified in open_basedir.

Appearently readfile() does *not* have this restriction and thus allows checking the existence of files anywhere in the filesystem. If realpath($filename) returns a string (i.e. not false), the file exists. This is a circumvention of the open_basedir restriction in file_exists() etc.


Reproduce code:
---------------
The following should always be true, but it isn't when $dir is outside the directories specified in open_basedir:

var_dump(file_exists($dir) === (bool) realpath($dir));

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-05-27 17:33 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.