ID: 26026 Comment by: derbubi at gmx dot net Reported By: roman at compic dot ee Status: Open Bug Type: Feature/Change Request Operating System: *nix PHP Version: 4.3.3 New Comment:
A Patch for this problem is available here: http://kyberdigi.cz/projects/execdir/english.html This Option would be very nice, even if it decreases performance (if this decrease is optional) Previous Comments: ------------------------------------------------------------------------ [2003-10-29 05:23:31] roman at compic dot ee Description: ------------ By bow we have safe_mode_exec_dir working (and good) for shared hosting, only if SAFE_MODE enabled. But often, SAFE_MODE need to be turned off. After this safe_mode_exec_dir is nothing. So we need to disable some funtions (system,passthru,...). But it can be done only for _ALL_ hosts. So if one host use "system()" in "safe_mode 1" to one or two special programs and happy - i can't turn SAFE_MODE 0 for other hosts. It's became realy danger - sometimes users have unsecure scripts and by using 'blah.php?f=http://somethere...' intruder can get nobody shell. Nobody shell mean - He can read mysql password in config.php or settings.php files. He also can install blindshell. So maybe good to add 'exec_dir' variable for working in 'safe_mode 0' ? Reproduce code: --------------- none needed ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=26026&edit=1
