Hello,
We have set the PHP open_basedir option and have noticed some warnings of files being opened outside of the basedir directories. These seem to come from the file 'website_code/php/display_library.php', when 'file_exists' is called. However, the code runs further checks to locate 'config.php' and these are successful (and give no warnings):
if (file_exists('../../../config.php')) {
require_once('../../../config.php');
} elseif (file_exists(dirname(__FILE__) . '/../../config.php')) {
require_once(dirname(__FILE__) . '/../../config.php');
} else {
require_once('config.php');
}
It seems that many files use '../../../config.php', but these are all three levels down, so they work. It seems that it is used in only two places where the files are two levels down. One is the 'display_library' file mentioned above, but that caters for the potential problem.
The second is the file 'website_code/php/folder_library.php', and this file does no extra checking. It just uses:
require_once('../../../config.php');
This will fail, and cause php warnings being outside of our web root area. The file should include further location checks the same as the 'display_library' file.
Obviously not setting 'open_basedir' avoids any warnings, but the 'require_once' call in the 'folder_library' file will still fail since the 'config.php' file does not exist in the location it is checking.
John.