Affected page
https://www.php.net/manual/en/ini.core.php#ini.open-basedir
Issue description
Limit the files that can be accessed by PHP to the specified directory-tree, including the file itself.
This is in general true for files, but does not apply to unix-sockets.
I'd recommend to add a warning that open_basedir is not blocking access to unix-sockets.
Here is some example code to connect to the docker socket /var/run/docker.sock:
<?php
function listDockerContainers(): array
{
$socketPath = 'unix:///var/run/docker.sock';
$socket = stream_socket_client($socketPath, $errno, $errstr, 5);
if (!$socket) {
throw new RuntimeException("Failed to connect: $errstr ($errno)");
}
fwrite($socket, "GET /containers/json?all=true HTTP/1.1\r\nHost: localhost\r\nConnection: close\r\n\r\n");
$response = stream_get_contents($socket);
fclose($socket);
$parts = explode("\r\n\r\n", $response, 2);
$headers = $parts[0];
$body = $parts[1] ?? '';
// Decode chunked transfer encoding
if (stripos($headers, 'Transfer-Encoding: chunked') !== false) {
$decoded = '';
$pos = 0;
$len = strlen($body);
while ($pos < $len) {
$end = strpos($body, "\r\n", $pos);
if ($end === false) break;
$chunkSize = hexdec(substr($body, $pos, $end - $pos));
if ($chunkSize === 0) break;
$pos = $end + 2;
$decoded .= substr($body, $pos, $chunkSize);
$pos += $chunkSize + 2;
}
$body = $decoded;
}
$containers = json_decode($body, true);
if (json_last_error() !== JSON_ERROR_NONE) {
throw new RuntimeException('Failed to parse Docker response: ' . json_last_error_msg());
}
return $containers;
}
try {
$containers = listDockerContainers();
if (empty($containers)) {
echo "No containers found.\n";
exit(0);
}
printf("%-40s %-30s %-15s %s\n", 'Container ID', 'Image', 'Status', 'Names');
echo str_repeat('-', 100) . "\n";
foreach ($containers as $container) {
$id = substr($container['Id'], 0, 12);
$image = $container['Image'];
$status = $container['State'];
$name = ltrim($container['Names'][0] ?? '', '/');
printf("%-40s %-30s %-15s %s\n", $id, $image, $status, $name);
}
} catch (Exception $e) {
echo 'Error: ' . $e->getMessage() . "\n";
exit(1);
}
example run:
php -dopen_basedir=/tmp test2.php
Container ID Image Status Names
----------------------------------------------------------------------------------------------------
388e1fecc5c9 cgr.dev/chainguard/wolfi-base exited dreamy_ramanujan
5eb853c69f34 scripts-llamacpp-wasm-builder exited llamacpp-wasm-builder
(instead of listing containers, you can also start a new container with mount-bind of a directory and bypass open_basedir)
Steps to reproduce
No response
Suggested fix
No response
Affected page
https://www.php.net/manual/en/ini.core.php#ini.open-basedir
Issue description
This is in general true for files, but does not apply to unix-sockets.
I'd recommend to add a warning that open_basedir is not blocking access to unix-sockets.
Here is some example code to connect to the docker socket /var/run/docker.sock:
example run:
(instead of listing containers, you can also start a new container with mount-bind of a directory and bypass open_basedir)
Steps to reproduce
No response
Suggested fix
No response