Warning, open_basedir restriction in effect caused by trailing path after php file

Question

Let me start by saying I know this is asked a lot. Nothing really answers my issue though.

Script kiddies are looking for admin paths by hitting urls like

mysite.com/index.php/admin/login

The main file is intercepting their request and looking to see if they've asked for a real file. This is rejected with no warnings on servers where open_basedir is not configured which is the correct behavior. Unfortunately on servers where we do use open_basedir, the file_exists function is throwing warnings.

I've narrowed it down to a simple example.

Put this in index.php and change the path to the folder where your php files are

<?php
ini_set('open_basedir', '/path/to/files');

var_dump(
    ini_get('open_basedir'), // make sure the config took hold
    file_exists(realpath('index.php').'/') 
);

Now you see a warning such as

Warning: file_exists() [<a href='function.file-exists'>function.file-exists</a>]: open_basedir restriction in effect. File(/path/to/files/index.php/) is not within the allowed path(s): (/path/to/files) in /path/to/files/index.php on line

edit:

It should be noted that requesting a nonexistent file with trailing slashes does not cause the warning.

var_dump('/path/to/files/bogus.php/');

will cause no warning and return false which is as expected.

To clarify my question, why is there a warning being thrown and can I avoid it?

second edit:

I'm running php version 5.3.3-7+squeeze17 I will try it in newer versions soon

Answer 1

This exact behaviour was reported as a bug in PHP 5.2.2 - 5.2.3:

https://bugs.php.net/bug.php?id=41518

And then later reported as present in 5.3.3.7 - 5.4.17.

https://bugs.php.net/bug.php?id=53041

Conclusion is that it seems to be a bug.