#32851 [NEW]: open_basedir restrictions do not work with file creation in symlinked directory

[stegelmann at rz dot rwth-aachen dot de]

From:             stegelmann at rz dot rwth-aachen dot de
Operating system: SunOS 5.8
PHP version:      4.3.11
PHP Bug Type:     Safe Mode/open_basedir
Bug description:  open_basedir restrictions do not work with file creation in 
symlinked directory

Description:
------------
We have some Apache/1.3.31 vhosts with open_basedir restrictions:

php_admin_value open_basedir
"/export/home/websites/it/:/export2/home/websites/it/:/tmp/:/var/tmp/"

/export/home/websites/it/ is a symlink to the directory
/export2/home/websites/it/ .

A script writing to an existing file in /export/home/websites/it/ works
without a flaw.
Removing the file (so the script should create the file) produces an
open_basedir warning.

(The creation of a file in the real directory /export2/home/websites/it/
works.)

I've already checked the (symlink-)ownership and directory-permissions.
safe_mode is disabled for testing purposes.

Reproduce code:
---------------
<?
  $f = fopen("/export/home/websites/it/test", "w");
?>

Expected result:
----------------
As the file's path is in the allowed paths the file should be created (as
it can be read when it exists).

Actual result:
--------------
Warning: fopen(): open_basedir restriction in effect.
File(/export/home/websites/it/test) is not within the allowed path(s):
(/export/home/websites/it:/export2/home/websites/it:/tmp/:/var/tmp/) in
/export2/home/websites/it/test.php on line 2

Warning: fopen(/export/home/websites/it/test): failed to open stream: Not
owner in /export2/home/websites/it/test.php on line 2

-- 
Edit bug report at http://bugs.php.net/?id=32851&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=32851&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=32851&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=32851&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=32851&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=32851&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=32851&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=32851&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=32851&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=32851&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=32851&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=32851&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=32851&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=32851&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=32851&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=32851&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=32851&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=32851&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=32851&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=32851&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=32851&r=mysqlcfg