ID: 33723
User updated by: ezmlm at mail dot ru
Reported By: ezmlm at mail dot ru
-Status: Feedback
+Status: Open
Bug Type: Apache related
Operating System: Linux
PHP Version: 5CVS-2005-07-18
New Comment:
This problem does not exist in php5 module for Apache2. It only exists
in php5 module for Apache1 cause those are completly different
modules.
Using php_admin_value safe_mode 1 didn't change anything.
again the steps to reproduce the problem.
Apache 1.3.33 is configured with ./configure --enable-module=so
and installed with make && make install
php is configured with ./configure
--with-apxs=/usr/local/apache/bin/apxs
then installed with make && make install
In httpd.conf added:
AddType application/x-httpd-php .php .phtml
php_admin_value safe_mode on
In <Directory "/usr/local/apache/htdocs"> section set
AllowOverride Options to allow php_flag and php_value in .htaccess
In /usr/local/apache/htdocs created info.phtml:
<?php
system('cat /etc/passwd');
phpinfo();
?>
The result is that safe_mode is ON and content of /etc/passwd IS NOT
displayed.
Now create .htaccess in /usr/local/apache/htdocs:
php_flag safe_mode off
The result is that phpinfo() shows safe_mode is OFF and content of
/etc/passwd IS displayed.
Previous Comments:
------------------------------------------------------------------------
[2005-07-19 00:45:21] [EMAIL PROTECTED]
Try change that php_admin_value line in httpd.conf to this:
php_admin_value safe_mode 1
------------------------------------------------------------------------
[2005-07-19 00:43:19] [EMAIL PROTECTED]
I can't reproduce this override problem when using Apache2.
------------------------------------------------------------------------
[2005-07-19 00:37:23] [EMAIL PROTECTED]
Solved. I had wrong permissions and owners set on the path and script I
used. safe-mode works as expected.
------------------------------------------------------------------------
[2005-07-18 19:18:20] [EMAIL PROTECTED]
I can't get safe-mode to work at all when using PHP CVS HEAD (5.1-dev).
No matter where I set it, be it php.ini or httpd.conf
------------------------------------------------------------------------
[2005-07-18 10:35:56] ezmlm at mail dot ru
I've tried. safe_mode is really turned off. I can use system and exec
and read other users files that are readable by apache.
For instance system('cat /etc/passwd') works fine
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/33723
--
Edit this bug report at http://bugs.php.net/?id=33723&edit=1
