PHP bug: binary characters in open_basedir allowed path and security issues
I must've been searching for the wrong keywords, as I only found the related bug report (here) after finding a fix to this problem:
I'm using WAMP Server under Windows, and when I specified "php_admin_value open_basedir" in the Apache configuration file, it worked fine after restarting all services in the WAMP server, but after the first reload, the open_basedir path magically transformed itself into a series of binary characters, and the restriction (obviously) failed. I also had the network connection reset a number of times while the browser was trying to load the page.
This was not an issue if open_basedir was specified in php.ini only.
Fortunately, the issue seems to have been fixed. It was a problem when I used Apache version 2.2.11 and PHP ver 5.3.0, but with Apache ver 2.2.17 and PHP ver 5.3.4, everything works fine. I think it was a PHP bug (although I also read an initial PHP bug report where it was apparently claimed that it wasn't), so if you encounter this error, all you have to do is to upgrade PHP.
Be warned, though, it seems that specifying open_basedir in itself is not safe enough; this report by the hardened PHP project suggests disabling the symlink function as well to avoid a possible hack.
I'm using WAMP Server under Windows, and when I specified "php_admin_value open_basedir" in the Apache configuration file, it worked fine after restarting all services in the WAMP server, but after the first reload, the open_basedir path magically transformed itself into a series of binary characters, and the restriction (obviously) failed. I also had the network connection reset a number of times while the browser was trying to load the page.
This was not an issue if open_basedir was specified in php.ini only.
Fortunately, the issue seems to have been fixed. It was a problem when I used Apache version 2.2.11 and PHP ver 5.3.0, but with Apache ver 2.2.17 and PHP ver 5.3.4, everything works fine. I think it was a PHP bug (although I also read an initial PHP bug report where it was apparently claimed that it wasn't), so if you encounter this error, all you have to do is to upgrade PHP.
Be warned, though, it seems that specifying open_basedir in itself is not safe enough; this report by the hardened PHP project suggests disabling the symlink function as well to avoid a possible hack.