0004772: OpenBaseDir restiction in Packages.php

(0014054)
SleePy (Developer)
2011-07-08 13:24
edited on: 2011-07-08 13:24

Um...
I only got to say your PHP installation is messed up or incorrectly configured. !is_dir should return false for entry being . or ..
is_dir will return true, but ! inverses this to false. So it should fall through to the else which does check for those.

What error are you receiving?

(0014081)
feline (Beta Tester)
2011-07-09 16:44

error is OpenBaseDir restriction
server data:
MySQL version: 5.0.51a
Alternative PHP Cache: 3.1.7
PHP: 5.2.11
Server version: Apache/2.2.8 (Linux/SUSE)
open_basedir not set in php.ini

(0014084)
SleePy (Developer)
2011-07-09 22:04

Are you saying that is from our code? Far as I can tell, we do not provide any warnings about openbase dir being set:
jeremy@Zeus:/home/svn/sm-smf$grep -Rn "basedir" trunk/Themes/default/languages/
jeremy@Zeus:/home/svn/sm-smf$

Can you give me the exact error it is giving you?

As I said, the logic of that function is already making sure that it isn't a directory. So if this is giving you a open basedir restrictions, there must be something incorrectly configured or a PHP bug was discovered. (btw php 5.2 is no longer supported in some aspects by the php team).

(0014085)
SleePy (Developer)
2011-07-09 22:06

As a FYI just to make sure I wasn't misunderstood. We don't provide any warnings. Our code base does in some parts attempt to detect open basedir being set:

jeremy@Zeus:/home/svn/sm-smf$grep -Rn "basedir" branches/2.0/Sources/
branches/2.0/Sources/ManageSmileys.php:567: if (!is_uploaded_file($_FILES['uploadSmiley']['tmp_name']) || (@ini_get('open_basedir') == '' && !file_exists($_FILES['uploadSmiley']['tmp_name'])))
branches/2.0/Sources/ManageSmileys.php:638: if (!is_uploaded_file($_FILES['individual_' . $set['name']]['tmp_name']) || (@ini_get('open_basedir') == '' && !file_exists($_FILES['individual_' . $set['name']]['tmp_name'])))
branches/2.0/Sources/ManageSmileys.php:1365: if (isset($_FILES['set_gz']) && is_uploaded_file($_FILES['set_gz']['tmp_name']) && (@ini_get('open_basedir') != '' || file_exists($_FILES['set_gz']['tmp_name'])))
branches/2.0/Sources/PackageGet.php:642: elseif (!is_uploaded_file($_FILES['package']['tmp_name']) || (@ini_get('open_basedir') == '' && !file_exists($_FILES['package']['tmp_name'])))
branches/2.0/Sources/Post.php:988: if (!is_uploaded_file($_FILES['attachment']['tmp_name'][$n]) || (@ini_get('open_basedir') == '' && !file_exists($_FILES['attachment']['tmp_name'][$n])))
branches/2.0/Sources/Subs-Post.php:2079: $file_restricted = @ini_get('open_basedir') != '' && !$already_uploaded;
branches/2.0/Sources/Themes.php:1447: if (isset($_FILES['theme_gz']) && is_uploaded_file($_FILES['theme_gz']['tmp_name']) && (@ini_get('open_basedir') != '' || file_exists($_FILES['theme_gz']['tmp_name'])))

(0014088)
feline (Beta Tester)
2011-07-10 08:50

is_dir returns true on . and ..
I checked that on php 5.3.1
var_dump(is_dir('.'));
var_dump(is_dir('..'));
returns:
bool(true)
bool(true)

(0014092)
SleePy (Developer)
2011-07-10 11:19

Yes, but the code does a not true check:
if (!is_dir($path . '/' . $entry))
If is NOT dir $parth . '/' . $entry

(0014098)
feline (Beta Tester)
2011-07-10 14:03

That it's not the point. I checked that on my Server and find out:
is_dir('..') returns false and the error:
is_dir(): open_basedir restriction in effect. File(..) is not within the allowed path(s):
The current folder is my forum dir ($boarddir)

(0014112)
SleePy (Developer)
2011-07-11 11:27

Well that is odd. You said open basedir isn't set (per your first comment)

None the less we can fix it.

(0014114)
groundup (Team Member)
2011-07-11 19:19

Can we create another function instead of checking if $filename === '.' || $filename === '..' etc.

(0014115)
SleePy (Developer)
2011-07-11 21:06

groundup,

I think the easiest solution would be to change !is_dir to is_file. Both existed in PHP at the same time, so its not a problem.
http://php.net/manual/en/function.is-file.php [^]
http://php.net/manual/en/function.is-dir.php [^]

(0014118)
groundup (Team Member)
2011-07-12 18:48

What happens with symlinks?

(0014119)
SleePy (Developer)
2011-07-13 12:16

They work just fine:

jeremy@Zeus:/home/svn/sm-smf$ln -s branches branches_syn
jeremy@Zeus:/home/svn/sm-smf$ln -s .DS_Store DS_syn
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_dir("branches"));'
bool(true)
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_dir("branches_syn"));'
bool(true)
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file(".DS_Store"));'
bool(true)
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file("DS_syn"));'
bool(true)
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file("branches"));'
bool(false)
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file("branches_syn"));'
bool(false)

(0014461)
emanuele (Developer)
2012-03-01 15:16

Still there.

So is_file is the best choice here?

(0014531)
Spuds (Developer)
2012-03-30 09:23

Either what the OP suggested or is_file would be fine. Seems though that since the check is to see if it is a file, is_file is more readable then not a directory.

(0014533)
Spuds (Developer)
2012-03-30 16:11

Commit:7f5207bb8966fa1235d2ce7c231269ee91f31ef6

* ! [4772]: OpenBaseDir restriction in Packages.php

News:

Simple Machines Bug and Feature Tracker

Notes
(0014054) SleePy (Developer) 2011-07-08 13:24 edited on: 2011-07-08 13:24	Um... I only got to say your PHP installation is messed up or incorrectly configured. !is_dir should return false for entry being . or .. is_dir will return true, but ! inverses this to false. So it should fall through to the else which does check for those. What error are you receiving?

(0014081) feline (Beta Tester) 2011-07-09 16:44	error is OpenBaseDir restriction server data: MySQL version: 5.0.51a Alternative PHP Cache: 3.1.7 PHP: 5.2.11 Server version: Apache/2.2.8 (Linux/SUSE) open_basedir not set in php.ini

(0014084) SleePy (Developer) 2011-07-09 22:04	Are you saying that is from our code? Far as I can tell, we do not provide any warnings about openbase dir being set: jeremy@Zeus:/home/svn/sm-smf$grep -Rn "basedir" trunk/Themes/default/languages/ jeremy@Zeus:/home/svn/sm-smf$ Can you give me the exact error it is giving you? As I said, the logic of that function is already making sure that it isn't a directory. So if this is giving you a open basedir restrictions, there must be something incorrectly configured or a PHP bug was discovered. (btw php 5.2 is no longer supported in some aspects by the php team).

(0014085) SleePy (Developer) 2011-07-09 22:06	As a FYI just to make sure I wasn't misunderstood. We don't provide any warnings. Our code base does in some parts attempt to detect open basedir being set: jeremy@Zeus:/home/svn/sm-smf$grep -Rn "basedir" branches/2.0/Sources/ branches/2.0/Sources/ManageSmileys.php:567: if (!is_uploaded_file($_FILES['uploadSmiley']['tmp_name']) \|\| (@ini_get('open_basedir') == '' && !file_exists($_FILES['uploadSmiley']['tmp_name']))) branches/2.0/Sources/ManageSmileys.php:638: if (!is_uploaded_file($_FILES['individual_' . $set['name']]['tmp_name']) \|\| (@ini_get('open_basedir') == '' && !file_exists($_FILES['individual_' . $set['name']]['tmp_name']))) branches/2.0/Sources/ManageSmileys.php:1365: if (isset($_FILES['set_gz']) && is_uploaded_file($_FILES['set_gz']['tmp_name']) && (@ini_get('open_basedir') != '' \|\| file_exists($_FILES['set_gz']['tmp_name']))) branches/2.0/Sources/PackageGet.php:642: elseif (!is_uploaded_file($_FILES['package']['tmp_name']) \|\| (@ini_get('open_basedir') == '' && !file_exists($_FILES['package']['tmp_name']))) branches/2.0/Sources/Post.php:988: if (!is_uploaded_file($_FILES['attachment']['tmp_name'][$n]) \|\| (@ini_get('open_basedir') == '' && !file_exists($_FILES['attachment']['tmp_name'][$n]))) branches/2.0/Sources/Subs-Post.php:2079: $file_restricted = @ini_get('open_basedir') != '' && !$already_uploaded; branches/2.0/Sources/Themes.php:1447: if (isset($_FILES['theme_gz']) && is_uploaded_file($_FILES['theme_gz']['tmp_name']) && (@ini_get('open_basedir') != '' \|\| file_exists($_FILES['theme_gz']['tmp_name'])))

(0014088) feline (Beta Tester) 2011-07-10 08:50	is_dir returns true on . and .. I checked that on php 5.3.1 var_dump(is_dir('.')); var_dump(is_dir('..')); returns: bool(true) bool(true)

(0014092) SleePy (Developer) 2011-07-10 11:19	Yes, but the code does a not true check: if (!is_dir($path . '/' . $entry)) If is NOT dir $parth . '/' . $entry

(0014098) feline (Beta Tester) 2011-07-10 14:03	That it's not the point. I checked that on my Server and find out: is_dir('..') returns false and the error: is_dir(): open_basedir restriction in effect. File(..) is not within the allowed path(s): The current folder is my forum dir ($boarddir)

(0014112) SleePy (Developer) 2011-07-11 11:27	Well that is odd. You said open basedir isn't set (per your first comment) None the less we can fix it.

(0014114) groundup (Team Member) 2011-07-11 19:19	Can we create another function instead of checking if $filename === '.' \|\| $filename === '..' etc.

(0014115) SleePy (Developer) 2011-07-11 21:06	groundup, I think the easiest solution would be to change !is_dir to is_file. Both existed in PHP at the same time, so its not a problem. http://php.net/manual/en/function.is-file.php [^] http://php.net/manual/en/function.is-dir.php [^]

(0014118) groundup (Team Member) 2011-07-12 18:48	What happens with symlinks?

(0014119) SleePy (Developer) 2011-07-13 12:16	They work just fine: jeremy@Zeus:/home/svn/sm-smf$ln -s branches branches_syn jeremy@Zeus:/home/svn/sm-smf$ln -s .DS_Store DS_syn jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_dir("branches"));' bool(true) jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_dir("branches_syn"));' bool(true) jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file(".DS_Store"));' bool(true) jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file("DS_syn"));' bool(true) jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file("branches"));' bool(false) jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file("branches_syn"));' bool(false)

(0014461) emanuele (Developer) 2012-03-01 15:16	Still there. So is_file is the best choice here?

(0014531) Spuds (Developer) 2012-03-30 09:23	Either what the OP suggested or is_file would be fine. Seems though that since the check is to see if it is a file, is_file is more readable then not a directory.

(0014533) Spuds (Developer) 2012-03-30 16:11	Commit:7f5207bb8966fa1235d2ce7c231269ee91f31ef6 * ! [4772]: OpenBaseDir restriction in Packages.php

Relationships