View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0004772SMF 2.0Generalpublic2011-06-24 08:062012-08-23 20:35
PlatformallOSLinuxOS VersionSuse 11
Summary0004772: OpenBaseDir restiction in Packages.php
DescriptionThis code produce the error:
    $dh = opendir($path);
    while ($entry = readdir($dh))
        // Some kind of file?
        if (!is_dir($path . '/' . $entry))

To fix this, change that to:
    $dh = opendir($path);
    while ($entry = readdir($dh))
        // Some kind of file?
        if ($entry != '.' && $entry != '..' && !is_dir($path . '/' . $entry))
Attached Files

- Relationships

-  Notes
SleePy (Developer)
2011-07-08 13:24
edited on: 2011-07-08 13:24

I only got to say your PHP installation is messed up or incorrectly configured. !is_dir should return false for entry being . or ..
is_dir will return true, but ! inverses this to false. So it should fall through to the else which does check for those.

What error are you receiving?

feline (Beta Tester)
2011-07-09 16:44

error is OpenBaseDir restriction
server data:
MySQL version: 5.0.51a
Alternative PHP Cache: 3.1.7
PHP: 5.2.11
Server version: Apache/2.2.8 (Linux/SUSE)
open_basedir not set in php.ini
SleePy (Developer)
2011-07-09 22:04

Are you saying that is from our code? Far as I can tell, we do not provide any warnings about openbase dir being set:
jeremy@Zeus:/home/svn/sm-smf$grep -Rn "basedir" trunk/Themes/default/languages/

Can you give me the exact error it is giving you?

As I said, the logic of that function is already making sure that it isn't a directory. So if this is giving you a open basedir restrictions, there must be something incorrectly configured or a PHP bug was discovered. (btw php 5.2 is no longer supported in some aspects by the php team).
SleePy (Developer)
2011-07-09 22:06

As a FYI just to make sure I wasn't misunderstood. We don't provide any warnings. Our code base does in some parts attempt to detect open basedir being set:

jeremy@Zeus:/home/svn/sm-smf$grep -Rn "basedir" branches/2.0/Sources/
branches/2.0/Sources/ManageSmileys.php:567: if (!is_uploaded_file($_FILES['uploadSmiley']['tmp_name']) || (@ini_get('open_basedir') == '' && !file_exists($_FILES['uploadSmiley']['tmp_name'])))
branches/2.0/Sources/ManageSmileys.php:638: if (!is_uploaded_file($_FILES['individual_' . $set['name']]['tmp_name']) || (@ini_get('open_basedir') == '' && !file_exists($_FILES['individual_' . $set['name']]['tmp_name'])))
branches/2.0/Sources/ManageSmileys.php:1365: if (isset($_FILES['set_gz']) && is_uploaded_file($_FILES['set_gz']['tmp_name']) && (@ini_get('open_basedir') != '' || file_exists($_FILES['set_gz']['tmp_name'])))
branches/2.0/Sources/PackageGet.php:642: elseif (!is_uploaded_file($_FILES['package']['tmp_name']) || (@ini_get('open_basedir') == '' && !file_exists($_FILES['package']['tmp_name'])))
branches/2.0/Sources/Post.php:988: if (!is_uploaded_file($_FILES['attachment']['tmp_name'][$n]) || (@ini_get('open_basedir') == '' && !file_exists($_FILES['attachment']['tmp_name'][$n])))
branches/2.0/Sources/Subs-Post.php:2079: $file_restricted = @ini_get('open_basedir') != '' && !$already_uploaded;
branches/2.0/Sources/Themes.php:1447: if (isset($_FILES['theme_gz']) && is_uploaded_file($_FILES['theme_gz']['tmp_name']) && (@ini_get('open_basedir') != '' || file_exists($_FILES['theme_gz']['tmp_name'])))
feline (Beta Tester)
2011-07-10 08:50

is_dir returns true on . and ..
I checked that on php 5.3.1
SleePy (Developer)
2011-07-10 11:19

Yes, but the code does a not true check:
         if (!is_dir($path . '/' . $entry))
If is NOT dir $parth . '/' . $entry
feline (Beta Tester)
2011-07-10 14:03

That it's not the point. I checked that on my Server and find out:
is_dir('..') returns false and the error:
is_dir(): open_basedir restriction in effect. File(..) is not within the allowed path(s):
The current folder is my forum dir ($boarddir)
SleePy (Developer)
2011-07-11 11:27

Well that is odd. You said open basedir isn't set (per your first comment)

None the less we can fix it.
groundup (SMF Friend)
2011-07-11 19:19

Can we create another function instead of checking if $filename === '.' || $filename === '..' etc.
SleePy (Developer)
2011-07-11 21:06


I think the easiest solution would be to change !is_dir to is_file. Both existed in PHP at the same time, so its not a problem. [^] [^]
groundup (SMF Friend)
2011-07-12 18:48

What happens with symlinks?
SleePy (Developer)
2011-07-13 12:16

They work just fine:

jeremy@Zeus:/home/svn/sm-smf$ln -s branches branches_syn
jeremy@Zeus:/home/svn/sm-smf$ln -s .DS_Store DS_syn
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_dir("branches"));'
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_dir("branches_syn"));'
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file(".DS_Store"));'
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file("DS_syn"));'
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file("branches"));'
jeremy@Zeus:/home/svn/sm-smf$php -r 'var_dump(is_file("branches_syn"));'
emanuele (Developer)
2012-03-01 15:16

Still there.

So is_file is the best choice here?
Spuds (SMF Friend)
2012-03-30 09:23

Either what the OP suggested or is_file would be fine. Seems though that since the check is to see if it is a file, is_file is more readable then not a directory.
Spuds (SMF Friend)
2012-03-30 16:11


* ! [4772]: OpenBaseDir restriction in Packages.php
MantisBT (Modified for SMF Intergration)[^] Copyright © 2000 - 2010 Mantis Group