#33723 [Opn->Ctl]: php_value overrides php_admin_value

Mon, 18 Jul 2005 10:18:34 -0700 

 ID:               33723
 Updated by:       [EMAIL PROTECTED]
 Reported By:      ezmlm at mail dot ru
-Status:           Open
+Status:           Critical
 Bug Type:         Apache related
 Operating System: Linux
-PHP Version:      5.0.4
+PHP Version:      5CVS-2005-07-18
 New Comment:

I can't get safe-mode to work at all when using PHP CVS HEAD (5.1-dev).
No matter where I set it, be it php.ini or httpd.conf




Previous Comments:
------------------------------------------------------------------------

[2005-07-18 10:35:56] ezmlm at mail dot ru

I've tried. safe_mode is really turned off. I can use system and exec
and read other users files that are readable by apache.
For instance system('cat /etc/passwd') works fine

------------------------------------------------------------------------

[2005-07-18 10:27:18] [EMAIL PROTECTED]

Even if phpinfo() shows that some .ini option has different value, it's
not necessarily true. Try do something that "safe" 
mode should prevent you from doing.


------------------------------------------------------------------------

[2005-07-18 09:35:18] ezmlm at mail dot ru

The same problem with php5-latest

------------------------------------------------------------------------

[2005-07-18 02:16:29] [EMAIL PROTECTED]

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip



------------------------------------------------------------------------

[2005-07-16 13:22:11] ezmlm at mail dot ru

Description:
------------
PHP5 for apache 1.3.33 built as DSO allows php_admin_value
(php_admin_flag) options marked as PHP_INI_SYSTEM to be reset in
.htaccess files by using php_value (php_flag). safe_mode for example.

To demonstrate the problem in php.ini set safe_mode = Off, in
httpd.conf, set:
php_admin_value safe_mode on

Get phpinfo to verify that safe_mode is on.

Now create .htaccess file in document_root containing:
php_flag safe_mode off

(or even php_flag safe_mode on)

Get phpinfo again and note that safe_mode was reset to off (php.ini
initial value)




------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=33723&edit=1

Reply via email to