Edit report at http://bugs.php.net/bug.php?id=24516&edit=1
ID: 24516
Updated by: j...@php.net
Reported by: mphh at bandignition dot tk
Summary: subset open_basedir in .htaccess and block users
from opening files
-Status: Open
+Status: Closed
Type: Feature/Change Request
-Package: Feature/Change Request
+Package: *General Issues
Operating System: All
PHP Version: Irrelevant
-Assigned To:
+Assigned To: jani
Block user comment: N
Private report: N
New Comment:
We have user ini support since 5.3.0. Also:
http://www.php.net/manual/en/ini.core.php#ini.open-basedir
"As of PHP 5.3.0 open_basedir can be tightened at run-time. This means
that if open_basedir is set to /www/ in php.ini a script can tighten the
configuration to /www/tmp/ at run-time with ini_set()"
Previous Comments:
------------------------------------------------------------------------
[2003-07-06 20:08:40] mphh at bandignition dot tk
Description:
------------
Could someone find a way so that files (i.e., .htaccess, .httpd) could
be block from opening by a user and that open_basedir can be set on a
per-directory while still enforceing the open_basedir set in .httpd or
php.ini.
Reproduce code:
---------------
php.ini:
open_basedir = "/usr/home/public_html/"
deny_open_files = ".htaccess,.httpd"
.htaccess (#1):
php_flag open_basedir = "/usr/home/public_html/some/dir/"
.htaccess (#2):
php_flag open_basedir = "/"
script1.php:
<?php
$fp=fopen("text.txt", "w");
fwrite($fp, "nice text");
fclose($fp);
echo "file writing done";
?>
script2.php:
<?php
$fp=fopen(".htaccess", "w");
fwrite($fp, "evil code");
fclose($fp);
echo "evil done";
?>
Expected result:
----------------
.htaccess (#1) will work while,
.htaccess (#2) will not.
and
script1.php will return:
file writing done
and script2.php will return:
Error: fopen(): You are not allowed to open that file for security
resons.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=24516&edit=1
