[PHPTAL] safe-mode problem and solution

Thomas Müller info at halbton.net
Mon Mar 24 22:57:12 CET 2008 

hi,

thanks for your response and sorry for my delayed one.

Krzysztof Sikorski schrieb:
> The problem is not in your include path but in basedir path. You
> probably uploaded your phptal libraries into a directory that is
> forbidden for your scripts. Try running
> ini_get('open_basedir');
> to check what dir is allowed and then move your libraries into that
> dir or one of its subdirs.
as i wrote, it's a safe-mode problem. i'm not allowed to change any
php-parameters via local php.ini, .htaccess or set_***().

> 
> Or if you are lazy, just move it to the same dir your execute your
> scripts from, this one certainly Is allowed. Your libraries will be
> visible form the net but thats a minor problem because they can't harm
> your server when executed directly.
to avoid this solution with all the risks, i suggest to add a constant like
PHPTAL_PHP_LIB_DIR. kornel lesinski indicated that he's thinking about to
include this solution (see Re: [PHPTAL] PHPTAL and Wordpress - CET
17.03.2008 11:21).

a tmp-dir constant is allready available. i have to use this option, because
/tmp is mostly unwriteable on webhosting-space (/tmp isn't quoteable).

i use following project-layout:
./extlib - for external libs like PHPTAL
./lib - my libs like controller and modell
./templates - for view-templates
./tmp - tmp/cache for libs (rights other -wx)
./index.html - redirect to index.php
./index.php - the one and only view world readable
./*** - css and images

extlib, lib, templates and tmp are secured by .htaccess
[CODE]
order deny,allow
deny from all
allow from localhost
[/CODE]

PUT and DELETE is denied by main .htaccess (secure tmp)

that works very fine on different webspaces, if all PHPTAL-files are patched
like in PHPTAL.php
[CODE]
57,61c57,61
< //{{{PHPTAL_PHP_LIB_DIR
< if (!defined('PHPTAL_PHP_LIB_DIR')){
<     define('PHPTAL_PHP_LIB_DIR', '');
< }
< //}}}
---
> require_once 'PHPTAL/FileSource.php';
> require_once 'PHPTAL/RepeatController.php';
> require_once 'PHPTAL/Context.php';
> require_once 'PHPTAL/Exception.php';
> require_once 'PHPTAL/TalesRegistry.php';
63,67d62
< require_once(PHPTAL_PHP_LIB_DIR.'PHPTAL/FileSource.php');
< require_once(PHPTAL_PHP_LIB_DIR.'PHPTAL/RepeatController.php');
< require_once(PHPTAL_PHP_LIB_DIR.'PHPTAL/Context.php');
< require_once(PHPTAL_PHP_LIB_DIR.'PHPTAL/Exception.php');
< require_once(PHPTAL_PHP_LIB_DIR.'PHPTAL/TalesRegistry.php');
[/CODE]

inclusion is done by
[CODE]
$_DocRoot = explode("index.php", $_SERVER["SCRIPT_FILENAME"], 2);
$_DocRoot = $_DocRoot[0];
define(PHPTAL_PHP_CODE_DESTINATION, $_DocRoot.'tmp/');
define(PHPTAL_PHP_LIB_DIR, $_DocRoot.'extlib/phptal/');
require_once(PHPTAL_PHP_LIB_DIR.'PHPTAL.php');
[/CODE]

so i think the main risks should be solved outside my code.

greetings, thomas mueller

> 
> On Sun, Mar 16, 2008 at 5:26 PM, Thomas Müller <info at halbton.net> wrote:
>> hi,
>>
>>  i have a problem with a webhosting server. this server has very restrictiv
>>  rules. so i can't modify or override any php.ini rules and i have limited
>>  htaccess syntax (only accept, deny, Auth*, etc), ...
>>
>>  so all described path including ways won't work, like init_set,
>>  set_include_path or php_value. i'd tried all.
>>
>>  result was every time like that:
>>  [CODE]
>>  Warning: main() [function.main]: open_basedir restriction in effect.
>>  File(/PHPTAL/FileSource.php) is not within the allowed path(s):
>>  (/pathto/phptal-login/httpdocs:/tmp) in
>>  /pathto/phptal-login/httpdocs/extlib/phptal/PHPTAL.php on line 57
>>
>>  Warning: main(PHPTAL/FileSource.php) [function.main]: failed to open stream:
>>  Die Operation ist nicht erlaubt in
>>  /pathto/phptal-login/httpdocs/extlib/phptal/PHPTAL.php on line 57
>>
>>  Fatal error: main() [function.require]: Failed opening required
>>  'PHPTAL/FileSource.php' (include_path='.:.:.:') in
>>  /pathto/phptal-login/httpdocs/extlib/phptal/PHPTAL.php on line 57
>>  [/CODE]
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> PHPTAL mailing list
>> PHPTAL at lists.motion-twin.com
>> http://lists.motion-twin.com/mailman/listinfo/phptal

More information about the PHPTAL mailing list