There is a open_basedir warning on the import page.
Warning: is_file() [function.is-file]: open_basedir restriction in effect. File(/tmp/..) is not within the allowed path(s): ([...]) in [...]pma/libraries/file_listing.php on line 21
Import works as expected.
DO NOT add /tmp/.. to you open_basedir, otherwise your system is open for every one. /tmp/.. means /
Logged In: YES
user_id=210714
Originator: NO
Sorry but I don't get your point. You are reporting this as a phpMyAdmin bug because the warning was displayed?
Logged In: YES
user_id=1312539
Originator: NO
This Tracker item was closed automatically by the system. It was
previously set to a Pending status, and the original submitter
did not respond within 14 days (the time period specified by
the administrator of this Tracker).
Logged In: YES
user_id=1923365
Originator: NO
Hi lem9
I want to give feedback to this ticket - I'm helping with the isp-control ispcp project and we came across this issue again in the forum.
I don't know why the OP didn't answer ...
The issue
condition:
open_basdir restriction set, eg: "/var/www/ispcp/gui/"
and the following settings in pma :
$cfg['UploadDir'] = '/var/www/ispcp/gui/phptmp';
$cfg['SaveDir'] = '/var/www/ispcp/gui/phptmp';
appearance:
when clicking on Import in phpMyAdmin, eg: /pma/db_import.php
consequence:
a php warning is issued (log file or displayed if enabled):
[27-Oct-2007 12:10:23] PHP Warning: is_file() [<a href='function.is-file'>function.is-file</a>]: open_basedir restriction in effect. File(/var/www/ispcp/gui/phptmp/..) is not within the allowed path(s): (/var/www/ispcp/gui/:...) in /var/www/ispcp/gui/tools/pma/libraries/file_listing.php on line 24
The relevant function in libraries/file_listing.php:
function PMA_getDirContent($dir, $expression = '')
{
user_error($dir. ' - '. $expression);
if ($handle = @opendir($dir)) {
$result = array();
if (substr($dir, -1) != '/') {
$dir .= '/';
}
while ($file = @readdir($handle)) {
if (is_file($dir . $file) && ($expression == '' || preg_match($expression, $file))) {
$result[] = $file;
}
}
@closedir($handle);
asort($result);
return $result;
} else {
return FALSE;
}
}
line 24 is the one with "is_file(...)".
The problem: alle directory entries of the given directory are proved with "is_file" - also the entry ".."
but this is forbidden by the open_basedire restriction.
Now, I just noticed: if I set "/var/www/ispcp/gui" instead of "/var/www/ispcp/gui/" then the warning is not issued - this seems to be a php issue...
But only in out situation...
If open_basedir is set to the same directory as the upload folder, then a warning will be issued anyway
Conclusion:
The entry ".." should be excluded from the "is_file" check... see below...
Thanx
Christian
while ($file = @readdir($handle)) {
if (($file != '..') && is_file($dir . $file) && ($expression == '' || preg_match($expression, $file))) {
$result[] = $file;
}
}
Logged In: YES
user_id=210714
Originator: NO
Christian,
I cannot reproduce this problem with PHP 5.2.4.
Which PHP version are you using?
Are you running with an additional security layer like Suhosin?
Anyway, reading the documentation for open_basedir, the message you get does not make sense because /var/www/ispcp/gui/phptmp/.. is within the allowed path /var/www/ispcp/gui/
Logged In: YES
user_id=1923365
Originator: NO
Hi Marc
I'll investigate more on this.
I use debian etch, so php 5.2.0-8... suhosin is enabled.
I'll do more checks and try to find out where's the problem.
I'll come back here :-)
Christian
Logged In: YES
user_id=1923365
Originator: NO
ok
I set suhosin.simulation = On so this should be ok
Following setting:
php.ini:
open_basedir = "/var/www/ispcp/gui:/tmp/"
pma-config:
$cfg['UploadDir'] = '/tmp';
-> Warnings
[13-Nov-2007 01:47:45] PHP Warning: is_file() [<a href='function.is-file'>function.is-file</a>]: open_basedir restriction in effect. File(/tmp/..) is not within the allowed path(s): (/var/www/ispcp/gui:/tmp/) in /var/www/ispcp/gui/tools/pma/libraries/file_listing.php on line 24
[13-Nov-2007 01:47:45] PHP Warning: is_file() [<a href='function.is-file'>function.is-file</a>]: open_basedir restriction in effect. File(/tmp/.) is not within the allowed path(s): (/var/www/ispcp/gui:/tmp/) in /var/www/ispcp/gui/tools/pma/libraries/file_listing.php on line 24
with:
$cfg['UploadDir'] = '/tmp/a';
-> Warning:
[13-Nov-2007 01:49:56] PHP Warning: is_file() [<a href='function.is-file'>function.is-file</a>]: open_basedir restriction in effect. File(/tmp/a/..) is not within the allowed path(s): (/var/www/ispcp/gui:/tmp/) in /var/www/ispcp/gui/tools/pma/libraries/file_listing.php on line 24
So - maybe this is a php bug (with is_file) but at least the warning could be prevented in pma by checking for ".." and "." before running is_file on it.
I run "original PHP" from debian etch: "PHP 5.2.0-8+etch7 (cli) (built: Jul 2 2007 21:46:15)"
With fastcgi/suexec...
You're right lem9 - the file is within the open_basedir - I'm also wondering...
maybe I have to write a proof of concept - but then it's a php bug in is_file...
Cheers Christian
Logged In: YES
user_id=1923365
Originator: NO
Hi again
if you cannopt reproduce it - it's maybe a fixed bug:
http://bugs.php.net/bug.php?id=41518
5.2.4 must be the first PHP version where it's fixed - maybe someone could confirm this???
Thanx,
Christian
Logged In: YES
user_id=1923365
Originator: NO
Hi
I just got the message that the Warning is not issued with PHP 5.2.5.
So I really think it's caused by the already fixed PHP Bug 41518
But - nevertheless I recommend to change the mentioned line so also some older PHP version don't throw a warning in such situations...
Cheers
Christian
Logged In: YES
user_id=210714
Originator: NO
Fixed in subversion, thanks for reporting.
Logged In: YES
user_id=1923365
Originator: NO
Hi Marc
I think you should also test on '.', as I wrote on "2007-11-13 01:58" - in our program (ispcp) only the '..' is relevant but in other configurations also '.' should be excluded from is_file...
But thanks anyway - looking forward to the next release :-)
Christian
25 // for PHP < 5.2.4, is_file() gives a warning when using open_basedir
26 // and opening '..'
27 if ('.' != $file && '..' != $file && is_file($dir . $file) && ($expression == '' || preg_match($expression, $file))) {
28 $result[] = $file;
29 }
Logged In: YES
user_id=210714
Originator: NO
Hi Christian,
now done.