Edit report at http://bugs.php.net/bug.php?id=20054&edit=1
ID: 20054
Updated by: j...@php.net
Reported by: public at cs dot uwa dot edu dot au
Summary: safe_mode_include_dir not being used correctly
-Status: Analyzed
+Status: Wont fix
Type: Feature/Change Request
-Package: Feature/Change Request
+Package: Safe Mode/open_basedir
Operating System: Linux - Redhat 7.3
PHP Version: 4.3.0-dev
Block user comment: N
Private report: N
New Comment:
Safe mode will be gone soon. This will never happen in older releases
either.
Previous Comments:
------------------------------------------------------------------------
[2004-03-29 03:53:13] 99 at 9988 dot idv dot tw
d
------------------------------------------------------------------------
[2003-07-21 19:06:28] il...@php.net
The safe_mode_include_dir as it's name suggests is specifically tailored
to allow include/require exceptions that are READ only. If what you ask
is to be implemented it could open a number of security holes by
allowing write/create/overwrite access to execluded directories. The
corect solution would be to add another directive where you could
specify a list of excluded directories inside user will have full access
regardless of safe_mode. Since this already more of a feature request
rather then a bug I am marking it as such.
------------------------------------------------------------------------
[2002-11-20 00:53:49] public at cs dot uwa dot edu dot au
Just for the record, I wrote a patch for this to allow for paths to be
excluded from the safemode checks basically the same as the include
value does. Posted that the the developers list asking if anyone was
interested, enver got a reply, so I thought I'd add it in here for
completeness sake.
If anyone has any suggestions with what I can do with the patch, let
me know :}
------------------------------------------------------------------------
[2002-11-02 01:30:40] vegaspctech at yahoo dot com
I've got Apache 2 and PHP 4.3.0-dev on Red Hat 7.2 with /usr/share/pear
in safe_mode_include_dir and I get "SAFE MODE Restriction in effect.
The script whose uid is 502 is not allowed to access
/usr/share/pear/Mail.php owned by uid 0" etc., with 'require_once(
"Mail.php" );' and 'require( "Mail.php" );' and ��'include( "Mail.php"
);' and 'include( "/usr/share/pear/Mail.php" );' and every other
variation I can think to try.
------------------------------------------------------------------------
[2002-10-30 11:37:56] il...@php.net
The current implementation of safe_mode_include_dir only allows
require/include functions to bypass safe_mode. I've began a discussion
on php-dev on whether or not this should be expanded to include other
file operations. If you have an opinion on the matter, make it known
there (php-dev).
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/bug.php?id=20054
--
Edit this bug report at http://bugs.php.net/bug.php?id=20054&edit=1
