From: [EMAIL PROTECTED]
Operating system: windows 2000
PHP version: 4.0.6
PHP Bug Type: Filesystem function related
Bug description: Security not blocking "unlink" delete functions
Running PHP in Apache using the MODULE configuration.
Apache/1.3.14 (Win32) PHP/4.0.6 mod_ssl/2.7.2 OpenSSL/0.9.6 running.
With the following:
php_admin_flag safe_mode on
php_admin_value open_basedir c:/pr
php_admin_value doc_root c:/pr
php_admin_value user_dir c:/pr
IT SUCCESSFULLY blocks reads in directories other than c:/pr, but it DOES
NOT block unlinks (file deletion) outside. So... My users cannot read other
users files, however they can delete anything they want. Very strange. I DO
NOT care about it checking "UIDs" as I do not create different Users for
each USER... I want to be able to restrict access to a directory and call
it good.
<?php
echo "Peace!";
//unlink ("c:/test.txt");// UNLINK WORKS (This should fail)
$fp = fopen ("c:/test.txt", "r"); // FAILS SECURITY CHECK
echo "Dude10";
?>
--
Edit bug report at: http://bugs.php.net/?id=13447&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
