Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:55647 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 71186 invoked from network); 28 Sep 2011 08:50:10 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Sep 2011 08:50:10 -0000 Authentication-Results: pb1.pair.com smtp.mail=h.reindl@thelounge.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=h.reindl@thelounge.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain thelounge.net designates 91.118.73.15 as permitted sender) X-PHP-List-Original-Sender: h.reindl@thelounge.net X-Host-Fingerprint: 91.118.73.15 mail.thelounge.net Windows 98 (1) Received: from [91.118.73.15] ([91.118.73.15:59446] helo=mail.thelounge.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 0F/81-62163-1CFD28E4 for ; Wed, 28 Sep 2011 04:50:10 -0400 Received: from rh.thelounge.net (rh.thelounge.net [10.0.0.99]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mail.thelounge.net (Postfix) with ESMTPSA id E0D379A for ; Wed, 28 Sep 2011 10:50:06 +0200 (CEST) Message-ID: <4E82DFBE.7000701@thelounge.net> Date: Wed, 28 Sep 2011 10:50:06 +0200 Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20110906 Thunderbird/6.0.2 MIME-Version: 1.0 To: internals@lists.php.net References: <4E81902E.1020304@thelounge.net> <4E824B36.4040209@gmail.com> <4E824BF7.9070405@thelounge.net> <4E824F69.1010703@gmail.com> <4E825084.4040703@thelounge.net> <4E82B825.5060003@daylessday.org> <4E82C679.9030800@thelounge.net> In-Reply-To: X-Enigmail-Version: 1.3.2 OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigFDF85098AF7823DA04A7C662" Subject: Re: [PHP-DEV] open_basedir bypass -> errata tempnam() From: h.reindl@thelounge.net (Reindl Harald) --------------enigFDF85098AF7823DA04A7C662 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Am 28.09.2011 10:46, schrieb Pierre Joye: > hi, >=20 > On Wed, Sep 28, 2011 at 9:02 AM, Reindl Harald = wrote: >=20 > First, all you need to test is: >=20 > $tempfile =3D tempnam($temp_folder, 'rhcsv'); > $fp =3D fopen($tempfile , 'w'); >=20 >> * /tmp MUST NOT be in open_basedir >> * the temp-folder must be read only >> * QUESTION1: why is tempnam() falling back to a dir outside open_based= ir? >> * QUESTION2: why is tempnam() creating a file OUTSIDE open_basedir? >=20 > The flow can be easily seen here: >=20 > http://lxr.php.net/opengrok/xref/PHP_5_4/ext/standard/file.c#798 > http://lxr.php.net/xref/PHP_5_4/main/php_open_temporary_file.c#php_do_o= pen_temporary_file >=20 >> * QUESTION3: why is there no error-msg taht $dir is readonly instead u= nexpected fallback >=20 > It is how it always work for temp files. Configure the temp > directories correctly is the way to go (set the TMP). As far as I > remember there was a discussion about temp directories and open base > dir a while back, maybe you can find some additional info in it. but it is wrong to create a file outside the open_basedir especially if a full qualified directory was passed where it should be created without any param /tmp is right but not as magical fallback and in my opinion a well desigend webapp should never touch global /tmp shared with other hosts and applications --------------enigFDF85098AF7823DA04A7C662 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6C374ACgkQhmBjz394Ank7LQCcCY9jidN9b/rCOu5Ky2bgkciV lgMAniKctdizPK8vmRSX32yA+sTu8zQ3 =aakH -----END PGP SIGNATURE----- --------------enigFDF85098AF7823DA04A7C662--