-1

I'm creating a simple script that receives a zip as upload, extract it, and executes some logic. I don't need to keep the zip or the raw files that are in it, so I'm trying to extract to the system temp directory.

The problem is that it is not working, the error says that it is not within the allowed paths but the file is clearly in the allowed path.....

PHP message: PHP Warning: fopen(): open_basedir restriction in effect. File(/tmp/random_tmp_dir_My3C2v/upload.zip) is not within the allowed path(s): (/var/www/vhosts/domain.com/:/tmp/)

$tmp_dir = tempnam(sys_get_temp_dir(), "random_tmp_dir_");
if (!$tmp_dir) {
    header("HTTP/1.1 500 Internal Server Error");
    error_log("Failed to create a temporary folder");
    exit(5);
}

$input = @fopen("php://input", "r");
if (!$input) {
    header("HTTP/1.1 400 Bad Request");
    exit;
}

$output = fopen("$tmp_dir/upload.zip", "w"); // This generates the open warning
if (!$output) { // $output was false and the script fails
    header("HTTP/1.1 500 Internal Server Error");
    error_log("Failed to open the file for writing: $tmp_dir/upload.zip");
    abort();
    exit(2);
}

I don't get why I can create a subfolder but I can't access the subfolder that I've just created...

Polyana Fontes
  • 3,156
  • 1
  • 27
  • 41
  • Check the permissions. – Funk Forty Niner Oct 08 '20 at 12:55
  • `open_basedir` is preventing access to that folder, because it's outside the allowable directories. There are several duplicates of this question. https://stackoverflow.com/questions/14465212/php-error-open-basedir-restriction-in-effect https://stackoverflow.com/questions/31186906/php-error-open-basedir-restriction-in-effect https://stackoverflow.com/questions/16872674/open-basedir-restriction-in-effect-file-is-not-within-the-allowed-path https://stackoverflow.com/questions/3257090/php-directory-error-open-basedir-restriction-in-effect https://stackoverflow.com/q/1846882/5827005 – GrumpyCrouton Oct 08 '20 at 12:57
  • 1
    "but the file is clearly in the allowed path" — How do you know? What is the allowed path? You didn't include the config file that sets it in your question. – Quentin Oct 08 '20 at 12:58
  • @GrumpyCrouton how exactly is `/tmp/random_tmp_dir_My3C2v/upload.zip` outside of `/tmp/`? – 04FS Oct 08 '20 at 12:58
  • 1
    @04FS Do you think that `open_basedir` is just going to make up the fact that it doesn't have access when it actually does? We can't see the configs, I'm not going to assume that `open_basedir` is wrong for no reason. – GrumpyCrouton Oct 08 '20 at 12:59
  • 1
    @GrumpyCrouton do you think it would explicitly say that `/tmp/` was part of the allowed paths, as it does right in the error message itself, if this really was the issue? File permissions are much more likely to blame here, I think - `tempnam` sets `0600`, after all. – 04FS Oct 08 '20 at 13:02
  • What configuration do y’all want to see, when the error message already says what the runtime value is? `is not within the allowed path(s): (/var/www/vhosts/domain.com/:/tmp/)` – 04FS Oct 08 '20 at 13:05
  • @04FS I think a permission issue could cause it to say that it's not within an allowed path. – GrumpyCrouton Oct 08 '20 at 13:06
  • @GrumpyCrouton yeah, as I said, `tempnam` sets `0600`, so I guess the error message PHP issues might actually be “off”, I suppose, in that it mixes together a file permissions issue with an open basedir one here. – 04FS Oct 08 '20 at 13:07
  • @GrumpyCrouton none of your links is duplicated issue as mine, as all of them are trying to access files outside their open_basedir restriction, except for one that was in the path but was a symbolic link, not my case either . – Polyana Fontes Oct 08 '20 at 13:09
  • @Quentin is not within the allowed path(s): (/var/www/vhosts/domain.com/:**/tmp/**) **/tmp/**random_tmp_dir_My3C2v/upload.zip – Polyana Fontes Oct 08 '20 at 13:10

1 Answers1

0

I found the cause! This comment from @04FS helped me to find it.

The issue is that tempnam creates a file and not a folder and I was trying to use it as a folder right away.

The PHP warning message was misleading and caused confusion.

To solve the issue I added this after the tempnam call:

$tmp_dir = tempnam(sys_get_temp_dir(), "random_tmp_dir_");
if (!$tmp_dir) {
    header("HTTP/1.1 500 Internal Server Error");
    error_log("Failed to create a temporary file");
    exit(5);
}

if(!unlink($tmp_dir) || !mkdir($tmp_dir)) {
    header("HTTP/1.1 500 Internal Server Error");
    error_log("Convert the temp file into a folder: $tmp_dir");
    exit(6);
}
Polyana Fontes
  • 3,156
  • 1
  • 27
  • 41