Home Original page

file_exists() warns of open_basedir restriction on non-existent file

Bug #41518 file_exists() warns of open_basedir restriction on non-existent file
Submitted: 2007-05-28 13:38 UTC Modified: 2007-07-03 07:05 UTC
Votes:8
Avg. Score:4.4 ± 0.5
Reproduced:5 of 6 (83.3%)
Same Version:3 (60.0%)
Same OS:4 (80.0%)
From: ruben dot willmes at emil2001 dot de Assigned: tony2001 (profile)
Status: Closed Package: Safe Mode/open_basedir
PHP Version: 5.2.2 OS: Linux
Private report: No CVE-ID: None

 [2007-05-28 13:38 UTC] ruben dot willmes at emil2001 dot de

Description:
------------
If open_basedir is active, file_exists(), as well as is_dir() and 
is_file(), throw an open_basedir warning if you check a non-existent 
file in a directory mentioned in the open_basedir configuration. The 
directories used in this case aren't symlinks.

The following example describes the situation with is_file(), but you'll 
get the same result with is_dir() and file_exists().

For a reference please see Bug #24313 
http://bugs.php.net/bug.php?id=24313

Sorry if this is a dub, but i didn't found any bugs referring to the 
actual PHP version

Reproduce code:
---------------
if (is_file('/var/www/localhost/htdocs/index.phph')) {
        print "File exists";
} else {
        print "File does not exist";
}


Expected result:
----------------
is_file should return a FALSE and you should read "File does not exist".

Actual result:
--------------
In addition to "File does not exist", you'll get a warning that 
open_basedir restriction is in effect:

Warning: is_file() [function.is-file]: open_basedir restriction in 
effect. File(/var/www/localhost/htdocs/index.phph) is not within the 
allowed path(s): (/var/www/localhost/htdocs/) in /var/www/localhost/
htdocs/check.php on line 3

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2007-05-28 22:05 UTC] xeo2001 at yahoo dot com

I have to disagree with you. 

I'v set a open base dir as /www/home/user and when i open (the by you produced code) in /www/home/user/test.php as:
<?
if (is_file('/www/home/user/index.phph')) {
 print "File exists";
}else {
 print "File does not exist";
}
?>

I just get the text "File does not exist". I think you got a problem in your server configuration?

Running system(s):
Debian 4.1
Apache 1.3.37
Php 4.4.7

 [2007-05-28 22:09 UTC] xeo2001 at yahoo dot com

Ow. i forgot to mantion that the server also runs php 5 and 6. While only tested in php 4 and 5.

 [2007-05-29 06:58 UTC] ruben dot willmes at emil2001 dot de

You're right, it does work correctly if i set my open_basedir to '/var/
www/localhost/htdocs' (without the trailing slash). But if i set it to 
'/var/www/localhost/htdocs/' (with the trailing slash), it doesn't work 
in my test case. Could you please try it once more setting your 
open_basedir to '/www/home/user/' (with the trailing slash)?

The system this is running on is PHP 5.2.2, with Apache 2.0.58.

thx in advance

 [2007-05-29 20:39 UTC] tony2001@php.net

If we remove this warning for non-existent files, it could be possible to use file_exists() to detect which files exists (since it's perfectly legal to print this warning when the file exists).

 [2007-05-30 20:20 UTC] ruben dot willmes at emil2001 dot de

Sorry, but i have to reopen this bug again.

Thx for the reply, Tony, but i don't think you understood me. 

I don't want to generally remove this error message, it's just under 
your OWN open_basedir, where you shouldn't get this message since 
you should be able to check whether the file exists under your OWN 
open_basedir, or am i wrong?

Let's make an example:

Two users, user1 and user2, both locked in their homedirs with 
open_basedir:
/home/user1/
/home/user2/

Both have one file in their directory, let's call it test.php

Now, if user1 checks whether test.php exists, he get's a true, as 
well as user2. If user1 checks user2's test.php, he'll get a false 
and an open_basedir warning since he's out of his open_basedir. 
That's correct. 

But what if user1 checks a file called test2.php under his own 
directory, /home/user1/? Should he get an open_basedir error? In my 
eyes he should only get a 'false' as the file does not exist, but no 
open_basedir warning, since he's still in his own open_basedir.

In the recent PHP5 release (5.2.2) one get's an open_basedir warning 
if you check a non-existent file under your OWN open_basedir. In a 
previous release the message was not present (i think it was 5.2.0 
or 5.2.1).

so, please reconsider this bug

 [2007-05-31 11:06 UTC] tony2001@php.net

I don't think I get what you're talking about:
# ls -l /tmp/nosuch
ls: cannot access /tmp/nosuch: No such file or directory
#php -d open_basedir=/tmp -r 'var_dump(file_exists("/tmp/nosuch"));'
bool(false)

No warning whatsoever.

 [2007-05-31 12:40 UTC] ruben dot willmes at emil2001 dot de

Your example is correct, that does work, but what if you change the 
following:

Instead of 

#php -d open_basedir=/tmp -r 'var_dump(file_exists("/tmp/nosuch"));'

try

#php -d open_basedir=/tmp/ -r 'var_dump(file_exists("/tmp/nosuch"));'

Notice the slash behind "open_basedir=/tmp/". With that you get

Warning: file_exists(): open_basedir restriction in effect. File(/tmp/
nosuch) is not within the allowed path(s): (/tmp/) in Command line 
code on line 1
bool(false)

 [2007-06-01 00:02 UTC] phpbugs at thequod dot de

This might be related to bug #39123, where open_basedir=/tmp/ 
started to fail, as internally only "/tmp" (without trailing slash) 
got considered. (http://bugs.php.net/bug.php?id=39123)

 [2007-06-18 18:41 UTC] paul at moonkhan dot org

@Ruben

Running PHP 5.2.3 on Redhat Enterprise Linux 4 I get the following:

#php -d open_basedir=/tmp -r 'var_dump(file_exists("/tmp/nosuch"));'
bool(false)

But if I switch /tmp to /tmp/ (ie, with trailing slash):

#php -d open_basedir=/tmp/ -r 'var_dump(file_exists("/tmp/nosuch"));'
PHP Warning:  file_exists(): open_basedir restriction in effect. File(/tmp/nosuch) is not within the allowed path(s): (/tmp/) in Command line code on line 1

Warning: file_exists(): open_basedir restriction in effect. File(/tmp/nosuch) is not within the allowed path(s): (/tmp/) in Command line code on line 1
bool(false)


We can eliminate this problem in our environment if we remove the trailing slashes from our open_basedir settings but that's not how open_basedir was intended to work, since trailing slashes prevent "wildcarding". For example, "/tmp" matches "/tmpfoo" and "/tmpbar" but "/tmp/" should only match, well, /tmp/.

-Paul

 [2007-07-03 07:05 UTC] tony2001@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.