Posted by Ken Williams on 03/22/06 21:34

What I mean is the definition of open_basedir is specifically "Limit the
files that can be opened by PHP to the specified directory-tree,
including the file itself."

So I set open_basedir to "/path1", so nothing outside of /path1 is
reachable. Yet $output = `/path2/program`; is possible and works fine.

Therefor, open_basedir does absolutely nothing.

I'm in Linux 2.4, Apache 1.3.31, PHP 4.4.2.


Malachi wrote:
> Ken Williams wrote:
>> Is this right? I've set open_basedir to /usr/apache/httpd/website or
>> whatever, something thats not /usr/bin yet the following still works:
>>
>> $output = `/usr/bin/cat /proc/loadavg`;
>>
>> Is this correct? If open_basedir is in effect is /usr/bin/cat still
>> support to be executable in this way? It does work (/usr/bin/cat is
>> restricted) for fopen.
>>
>> Thanks.
>
> I'm not sure I understand you entirely, but putting stuff in ``'s is
> pretty much the same as typing that into a 'nix shell (assuming it's on
> a 'nix platform, dunno what happens otherwise...) and returning the
> stout (and as you have it there, sticking it into $output). Since you
> describe the absolute paths to all executables and files in the bit that
> gets passed to a shell, $output should not change no matter what
> open_basedir is.
>
> I hope this helps...
>
> -mala

[Back to original message]