The role of the open_basedir option in the PHP configuration file

The following is the original description and default configuration in php.ini:
; open_basedir, if set, limits all file operations to the defined directory
; and below. This directive makes most sense if used in a per -directory or
; per-virtualhost web server configuration file. This directive is
; *NOT* affected by whether Safe Mode is turned On or Off.
open_basedir = .
open_basedir allows users to access The file's active scope is limited to a specified area, usually the path of its home directory, and the symbol "." can also be used to represent the current directory. Note that the restrictions specified with open_basedir are actually prefixes, not directory names.
For example: If "open_basedir = /dir/user", then the directories "/dir/user" and "/dir/user1" are both
accessible. So if you want to restrict access to only a specified directory, end the pathname with a slash. For example, set it to:
"open_basedir = /dir/user/"

open_basedir can also set multiple directories at the same time. Use semicolons to separate directories in Windows and
colon in any other system. Separate directories. When it is applied to the Apache module, the open_basedir path in the parent directory is automatically inherited.

There are three methods to make independent settings for specified users in Apache:

(a) The corresponding setting method of Directory in Apache's httpd.conf:

php_admin_value open_basedir /usr/local/apache/htdocs/
#To set multiple directories, please refer to the following:
php_admin_value open_basedir /usr/local/apache/htdocs/:/tmp/


(b) The corresponding setting method of VirtualHost in Apache's httpd.conf:
php_admin_value open_basedir /usr/local/apache/htdocs/
#To set multiple directories, you can refer to the following:
php_admin_value open_basedir /var/ www/html/:/var/tmp/

(c) Because after open_basedir is set in VirtualHost, this virtual user will no longer automatically inherit the open_basedir setting value in php.ini
. This It is difficult to achieve flexible configuration measures, so it is recommended that you do not set this restriction in VirtualHost
. For example, you can set open_basedir = .:/tmp/ in php.ini. This setting means that
is allowed to access the current directory. (that is, the directory where the PHP script file is located) and the /tmp/ directory.

Please note: If the temporary directory for uploading files set in php.ini is /tmp/, then you must set open_basedir
Include /tmp/, otherwise the upload will fail. The new version of php will prompt "open_basedir restriction in effect"
warning message, but the move_uploaded_file() function can still successfully remove the uploaded file in the /tmp/ directory, I don't know
Is this a vulnerability or a new feature?

Configuration for ShopEx472 version:

open_basedir = "D:/Server;../catalog;../include;../../ home;../syssite;../templates;../language;../../language;../../../language;../../../../language"