2

i want to ask some question.
I have a webserver (apache2/php/debian), and PHP configured with open_basedir option for some security reasons.
I need to acces to a url using file_get_contents(), but i get the error Warning: file_get_contents(): open_basedir restriction in effect.
I checked php config and allow_url_fopen is On.

In the development server (ubuntu 10.10) it works correctly, but in debian (6.0 squeeze) it doesn't. Any idea ??

PHP Version is 5.3.3-7+squeeze7 with Suhosin-Patch
An example:

php.ini:

Open_basedir = /var/securedir/:/var/www
allow_url_fopen = On

php code:

$a = file_get_contents("http://www.php.net");
Warning: file_get_contents(): open_basedir restriction in effect.

Another problem is that:

$b = file_get_contents("/var/securedir/file.xml")
Warning: file_get_contents(): open_basedir restriction in effect. File(/var/securedir/file.xml) is not within the allowed path(s): (/var/securedir/:/var/www)
EsteveBlanch
  • 125
  • 3
  • 12
  • 1
    Can you show an example? – Pekka Feb 10 '12 at 11:26
  • What verion of PHP? Might be https://bugs.php.net/bug.php?id=48603 – symcbean Feb 10 '12 at 11:33
  • PHP Version is 5.3.3-7+squeeze7 with Suhosin-Patch – EsteveBlanch Feb 10 '12 at 11:41
  • An example is:
    `open_basedir = .:/var/securedir:/var/www $a = file_get_contents("http://www.php.net/");`     – EsteveBlanch Feb 10 '12 at 11:43
  • Which directory is your open_basedir set to and from which directory do you try to read that file? Is the latter a child of the first? (it have to…) – feeela Feb 10 '12 at 11:44
  • 2
    You may have to make a change to the open_basedir directive in your Apache httpd.conf. http://www.bigsoft.co.uk/blog/index.php/2007/12/30/fixing-php-s-require-open_basedir-restri – Jeremy Harris Feb 10 '12 at 11:44
  • While it's not a solution to your problem, specifying '.' as a directroy in open_basedir rather defeats the purpose. – symcbean Feb 10 '12 at 13:03
  • In addition to cillosis: You can check the actual php settings using phpinfo() or ini_get http://php.net/manual/en/function.ini-get.php It might be overridden somewhere outside your php.ini file – Treur Feb 10 '12 at 13:19
  • @symcbean you're right, specifying '.' may cause security issues, and is not necessary. I removed that, still main problem persists. – EsteveBlanch Feb 10 '12 at 13:21
  • @Treur I checked that, open_basedir seems OK. – EsteveBlanch Feb 10 '12 at 14:20

1 Answers1

0

Why not just use cURL to fetch the contents instead? It's just going to be a few extra lines of code:

function fetch_content( $sUrl ) {

    $aOptions = array(
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HEADER         => false
    );

    $cUrlHndl = curl_init( $sUrl );
    curl_setopt_array( $cUrlHndl, $aOptions );
    $binaryContents = curl_exec( $cUrlHndl );
    curl_close( $cUrlHndl );

    return $binaryContents;
}

Because file_get_contents do pose security risks, that's why it's disabled on the server. The warning you're getting is because the path you tried to open is not included in the php.ini settings file.

Lok Yan Wong
  • 165
  • 1
  • 10