ID: 19703
Updated by: [EMAIL PROTECTED]
Reported By: [EMAIL PROTECTED]
-Status: Open
+Status: Bogus
Bug Type: *General Issues
Operating System: Linux
PHP Version: 4.2.3
New Comment:
I don't see why this is a problem. safe_mode is meant to avoid that
people (who are allowed to run php scripts on a server) retrieve
sensitive information from the server. In this case, the information is
already 'freely' available, so it's not considered sensitive.
Previous Comments:
------------------------------------------------------------------------
[2002-10-02 11:11:19] [EMAIL PROTECTED]
OK, let's try this again.
The issue is that PHP in safe_mode will allow files to be 'include'-d
via http:// even if it will not allow files outside of open_basedir and
such.
I furthermore believe this might be dependent on cURL support being
compiled in.
test code (shows safe_mode/open_basedir restrictions enforced, but
allows inclusion via http://):
<? ini_set ("display_errors", "1");
include "/tmp/blah.php";
echo "<br>";
include "/tmp/blah2.php";
echo "<br>";
include "http://www.tras.pl/test.txt"; ?>
code can be viewed in action at:
http://www.tras.pl/test-safe.php
code source can be viewed at:
http://www.tras.pl/test-safe.txt
phpinfo(); output can be viewed at:
http://www.tras.pl/phpinfo.php
if you need more info, let me know what you need before marking this as
'bogus' again. thanks
------------------------------------------------------------------------
[2002-10-02 00:17:55] [EMAIL PROTECTED]
I cannot open URLs
------------------------------------------------------------------------
[2002-10-02 00:17:31] [EMAIL PROTECTED]
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php
If you can provide more information, feel free to add it
to this bug and change the status back to "Open".
Thank you for your interest in PHP.
------------------------------------------------------------------------
[2002-10-01 21:40:44] [EMAIL PROTECTED]
I believe PHP with safe_mode enabled should not allow include-ing of
files via http:// or any other remote means, if it will not allow based
on permissions and open_basedir and such.
The relevand portion of httpd.conf:
php_admin_flag safe_mode on
php_admin_value open_basedir /home/web/www.tras.pl/
php_admin_value doc_root /home/web/www.tras.pl/www/
php_admin_value safe_mode_exec_dir /usr/local/php/bin
test script at:
http://www.tras.pl/test-safe.php
source at:
http://www.tras.pl/test-safe.txt
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=19703&edit=1
