Let me start by saying I know this is asked a lot. Nothing really answers my issue though.
Script kiddies are looking for admin paths by hitting urls like
mysite.com/index.php/admin/login
The main file is intercepting their request and looking to see if they've asked for a real file. This is rejected with no warnings on servers where open_basedir is not configured which is the correct behavior. Unfortunately on servers where we do use open_basedir, the file_exists function is throwing warnings.
I've narrowed it down to a simple example.
Put this in index.php and change the path to the folder where your php files are
<?php
ini_set('open_basedir', '/path/to/files');
var_dump(
ini_get('open_basedir'), // make sure the config took hold
file_exists(realpath('index.php').'/')
);
Now you see a warning such as
Warning: file_exists() [<a href='function.file-exists'>function.file-exists</a>]: open_basedir restriction in effect. File(/path/to/files/index.php/) is not within the allowed path(s): (/path/to/files) in /path/to/files/index.php on line
edit:
It should be noted that requesting a nonexistent file with trailing slashes does not cause the warning.
var_dump('/path/to/files/bogus.php/');
will cause no warning and return false which is as expected.
To clarify my question, why is there a warning being thrown and can I avoid it?
second edit:
I'm running php version 5.3.3-7+squeeze17 I will try it in newer versions soon
This exact behaviour was reported as a bug in PHP 5.2.2 - 5.2.3:
https://bugs.php.net/bug.php?id=41518
And then later reported as present in 5.3.3.7 - 5.4.17.
https://bugs.php.net/bug.php?id=53041
Conclusion is that it seems to be a bug.