Edit report at http://bugs.php.net/bug.php?id=43822&edit=1
ID: 43822
Comment by: jo at feuersee dot de
Reported by: birne at 007mail dot de
Summary: Allow ini_set('include_path', ??) even when
php_admin_value include_path is set
Status: Open
Type: Feature/Change Request
Package: Feature/Change Request
Operating System: Ubuntu Linux 7.10
PHP Version: 5.2.5
New Comment:
PHP 5.3.2
As derernst corretly stated, using set_include_path() instead of
ini_set()
does not make any difference.
This behavior doesn't add any security (as you can still include files
anywhere as long as open_basedir allows it), but limits convenience (eg.
adding a framework, writing custom autoloader functions, ...)
Previous Comments:
------------------------------------------------------------------------
[2009-03-20 13:13:10] derernst at gmx dot ch
Using set_include_path() instead of ini_set('include_path') does not
seem to make a difference.
I consider this change, that disables setting the include_path at
runtime, a severe backwards compatibility break. For example it can make
an application that relies on a manual PEAR installation unuseable. This
is a problem specially in shared hosting environments, where you usually
can't control the server configuration.
------------------------------------------------------------------------
[2008-01-11 21:59:31] der...@php.net
I think you can use set_include_path() for this:
http://no.php.net/manual/en/function.set-include-path.php
------------------------------------------------------------------------
[2008-01-11 20:55:42] birne at 007mail dot de
Description:
------------
After the patch for #41561 was applied, ini_set() could no longer
overwrite any configuration value that was previously defined using
php_admin_*.
In #43598 sniper wrote: php_admin_* is supposed to make any such option
unusable by anybody in any script. And it's meant for hosting
companies.
I agree, that in a hosting environment no customer should be able to
overwrite configuration like open_basedir. But there is no harm in
allowing the customer to change include_path; on the contrary is it of
great use for the customer to add his own libraries.
Before the #41561 patch was applied, this was already possible for years
and that was no bug, because overwriting open_basedir was not possible
at all.
I suggest to define another "Changeable" scope (see
http://php.net/manual/en/ini.php) for configuration values like
"PHP_INI_OVERWRITEABLE" wich behaves like "PHP_INI_ALL" but in addition
to that can be overwritten using ini_set() even when previously defined
using php_admin_*. The inlude_path would be one of the new
PHP_INI_OVERWRITEABLE directives, additional harmless ones must be
defined.
Please make sure to properly document that change - the new behavior of
the patch for #41561 is still not documented anywhere (or I did not find
it..)
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=43822&edit=1
