Will Setting open_basedir in an .htaccess file completely limit a PHP scripts directory access?

Question

My PHP script uses $_POST['fileUrl']; to retrieve a file for the user, which I believe poses a security threat because anyone could append "../../" etc to the fileUrl to gain access to other files on my server.

I need to find the best (most secure) way to limit files my script can access to a specific directory. From what I've read setting the open_basedir flag will limit my script's access to the path specified.

script.php

$fileUrl = $_POST['fileUrl'];
$content = chunk_split(base64_encode(file_get_contents($fileUrl))); 

.htaccess

php_flag open_basedir  "var/www/vhosts/mydomain.com/php_can_only_access_files_in_this_directory/"

Is there a better way to do this? Is this script completely secure from accessing folders outside the open_basedir?

Answer 1

If you want to avoid people performing directory traversal attacks by using ../../ in the file name you would be better off calling basename on the user supplied input to strip it down to a filename only.

See http://au2.php.net/basename for more details.

It is worth noting that the open_basedir flag only affects functions that check for it, in the past there have been several cases where php functions ignore the open_basedir flag, particularly in extensions such as imagemagick. Hence you should rather rely on secure coding practices and file permissions to restrict access to files.

Answer 2

s/php_flag/php_value/.

php_flag doesn't work consistently for open_basedir, when it does work at all. php_flag is for flags , php_value is for values . "path/:another/path/" is a value.