I'm nuking safe_mode and I found something odd. In streams,
php_plain_files_unlink() only checks php_check_open_basedir() when
ENFORCE_SAFE_MODE is flagged. I was planning on nuking ENFORCE_SAFE_MODE
completely. Is this a bug? Or should I rename ENFORCE_SAFE_MODE to
ENFORCE_OPEN_BASEDIR?
I just saw we have STREAM_DISABLE_OPEN_BASEDIR.
Should I just check if that is 0 and do the open_basedir check in that
case?
Agreed. This slight logic twist got intrduced when unlink was routed
through wrapper->ops. It should be:
if (ENFORCE_SAFE_MODE) { /* safe mode check*/ }
if (!DISABLE_OPEN_BASEDIR) { /* do open basedir check */ }
Bad news, I'm probably the one who did that, good news the practical fact of
the matter is that it'd be uncommon to use both or neither option. It's
more "normal" to use one or the other so the logic as-is isn't particularly
harmful, just.... not-entirely-right. Looking at a quick grep, the only use
of wops->unlink() I actually see is the one in
ext/standard/file.c:PHP_FUNCTION(unlink) anyway.
-Sara
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
