#19703 [Bgs->Opn]: safe_mode allows include-ing of http documents

Wed, 02 Oct 2002 08:38:38 -0700 

 ID:               19703
 User updated by:  [EMAIL PROTECTED]
 Reported By:      [EMAIL PROTECTED]
-Status:           Bogus
+Status:           Open
 Bug Type:         *General Issues
 Operating System: Linux
 PHP Version:      4.2.3
 New Comment:

OK, let's try this again.

The issue is that PHP in safe_mode will allow files to be 'include'-d
via http:// even if it will not allow files outside of open_basedir and
such.

I furthermore believe this might be dependent on cURL support being
compiled in.

test code (shows safe_mode/open_basedir restrictions enforced, but
allows inclusion via http://):

<? ini_set ("display_errors", "1"); 
   include "/tmp/blah.php"; 
   echo "<br>"; 
   include "/tmp/blah2.php"; 
   echo "<br>"; 
   include "http://www.tras.pl/test.txt"; ?>

code can be viewed in action at:
        http://www.tras.pl/test-safe.php
code source can be viewed at:
        http://www.tras.pl/test-safe.txt
phpinfo(); output can be viewed at:
        http://www.tras.pl/phpinfo.php

if you need more info, let me know what you need before marking this as
'bogus' again.  thanks


Previous Comments:
------------------------------------------------------------------------

[2002-10-02 00:17:55] [EMAIL PROTECTED]

I cannot open URLs

------------------------------------------------------------------------

[2002-10-02 00:17:31] [EMAIL PROTECTED]

Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


------------------------------------------------------------------------

[2002-10-01 21:40:44] [EMAIL PROTECTED]

I believe PHP with safe_mode enabled should not allow include-ing of
files via http:// or any other remote means, if it will not allow based
on permissions and open_basedir and such.

The relevand portion of httpd.conf:

php_admin_flag safe_mode on
php_admin_value open_basedir /home/web/www.tras.pl/
php_admin_value doc_root /home/web/www.tras.pl/www/
php_admin_value safe_mode_exec_dir /usr/local/php/bin

test script at:

http://www.tras.pl/test-safe.php

source at:

http://www.tras.pl/test-safe.txt

------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=19703&edit=1

Reply via email to