0

Warning: touch() [function.touch]: open_basedir restriction in effect. File() is not within the allowed path(s): (/var/www/vhosts/site.com/httpdocs/) in /var/www/vhosts/site.com/httpdocs/Manuals/updater.php on line 5 There was an error loading your Manual, please press the back button and try again.

im trying to figure out why the heck this isn't working - currently, I am using plesk, and it is set to default, which should be working as this is within a subdirectory of the httpdocs...

any ideas?

UPDATER.PHP

<?php
//    $URL="manualframe.php";
$URL=$_GET["URL"];
//    header( 'Location: '.$URL.'' ) ;
if (touch($URL)) {
echo 'loading!';
} else {
echo 'There was an error loading your Manual, please press the back button and try again.';
}
echo '<meta http-equiv="refresh" content="1;URL='.$URL.'">';
?>
NRGdallas
  • 395
  • 1
  • 8
  • 20

2 Answers2

4

Would the Manuals directory be a symlink to a directory outside the webroot by any chance?

open_basedir is also in effect on symlinks within your allowed path(s).

See the PHP manual on open_basedir for more information, which states:

When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink. If the file doesn't exist then the symlink couldn't be resolved and the filename is compared to (a resolved) open_basedir .

Rem.co
  • 3,813
  • 3
  • 29
  • 37
  • example file is located at site.com/manuals/folder1/sample.pdf no silly business here :P – NRGdallas Jun 13 '12 at 18:55
  • In that case, can you provide us with a code example of updater.php? (Specifically line 5). I misread the errormessage; Manuals/updater.php is within the allowed path, but the file you're trying to `touch` is not, so maybe there's an error in your syntax. (Quite possibly a absolute/relative path issue, e.g. when you try to `touch('/folder1/sample.pdf')` instead of `touch('./folder1/sample.pdf')` – Rem.co Jun 13 '12 at 19:00
  • can't paste code into comments, code added to main post. notably ive tried '/folder1' './folder1' and even just 'folder1' -nothin. – NRGdallas Jun 13 '12 at 19:02
  • onto something currently; it looks like my get variable is not getting sent right for the url, so I guess the idea on the path is right - fixing and seeing if problem is resolved. – NRGdallas Jun 13 '12 at 19:09
  • 1
    Resolved, get data was being sent with the wrong variable, and the url was missing the variable anyways - fixed both, changed file permissions, problem resolved. thanks for the lead! – NRGdallas Jun 13 '12 at 19:15
  • I tested your code and it seems to work OK (with the urgent remark that directly using unsanitized GET variables is very very dangerous): `http://localhost/test.php?URL=test/test.pdf` does in fact create `test.pdf` *if* the (case sensitive) (sub)directory `test` exists. – Rem.co Jun 13 '12 at 19:18
0

Looks like PHP is running in Safe Mode. This restriction means you can't read any files outside your web root. That's probably what updater.php is trying to do.

Cameron Martin
  • 5,952
  • 2
  • 40
  • 53
  • safe mode is disabled per plesk panel. all updater.php does is take a file within the manuals subfolder, touch it, and then redirect to it. – NRGdallas Jun 13 '12 at 18:55