Am 28.09.2011 10:46, schrieb Pierre Joye: > hi, > > On Wed, Sep 28, 2011 at 9:02 AM, Reindl Harald <h.rei...@thelounge.net> wrote: > > First, all you need to test is: > > $tempfile = tempnam($temp_folder, 'rhcsv'); > $fp = fopen($tempfile , 'w'); > >> * /tmp MUST NOT be in open_basedir >> * the temp-folder must be read only >> * QUESTION1: why is tempnam() falling back to a dir outside open_basedir? >> * QUESTION2: why is tempnam() creating a file OUTSIDE open_basedir? > > The flow can be easily seen here: > > http://lxr.php.net/opengrok/xref/PHP_5_4/ext/standard/file.c#798 > http://lxr.php.net/xref/PHP_5_4/main/php_open_temporary_file.c#php_do_open_temporary_file > >> * QUESTION3: why is there no error-msg taht $dir is readonly instead >> unexpected fallback > > It is how it always work for temp files. Configure the temp > directories correctly is the way to go (set the TMP). As far as I > remember there was a discussion about temp directories and open base > dir a while back, maybe you can find some additional info in it.
but it is wrong to create a file outside the open_basedir especially if a full qualified directory was passed where it should be created without any param /tmp is right but not as magical fallback and in my opinion a well desigend webapp should never touch global /tmp shared with other hosts and applications
signature.asc
Description: OpenPGP digital signature
