Would the cwd of the PHP CGI be inside the user's dir? Did you test it in a real CGI environment?
Zeev At 12:23 11/12/2001, Mathieu Kooiman wrote: >There's a problem with PHP cgi binaries: > ><CaPS_> (was a CVS, so..) ><CaPS_> which reminds me ><CaPS_> remember my ranting about php.ini derick? ><CaPS_> (it opens ./php.ini, config_file_path/php.ini, checks PHPRC >environment) ><CaPS_> in that order ><CaPS_> I got some 'friends' who work at hosters ><CaPS_> and they don't like that ><CaPS_> cos, ./php.ini will enable users to override safe mode ><CaPS_> made a lill patch for him so it wouldn't ><CaPS_> but, isn't it an idea to add --restrictive-hosting or something >that'll ''activate'' that patch ? ><CaPS_> (limit php.ini to be in config-file-path) ><OpenSrc> yes ><OpenSrc> no switch ><OpenSrc> just reverse it :) ><CaPS_> que ><CaPS_> ? ><OpenSrc> change the order ><OpenSrc> let the MAIN php.ini override values in PHPRC/php.ini ><CaPS_> it doesn't sequentially parse them ><CaPS_> but one ><OpenSrc> oh ><OpenSrc> then that need to be fixed :) ><CaPS_> either ./php.ini, php.ini or PHPRC ><OpenSrc> write it to php-dev > >It allows users to set their own options in a ./php.ini, as in >override user_dir, open_basedir and safe_mode. > >My default php.ini has error_reporting set to E_ALL: > >test.php: > ><?php >echo $test; >?> > >php.ini-ex: >error_reporting = E_ALL & ~E_NOTICE > >caps@anaina:~/php-4.1.0$ ./php -q test.php >PHP Warning: undefined variable: test in /home/caps/php-4.1.0/test.php >on line 3 > >caps@anaina:~/php-4.1.0$ mv php.ini-ex php.ini >caps@anaina:~/php-4.1.0$ ./php -q test.php >caps@anaina:~/php-4.1.0$ > >This was reported and discussed (on IRC) first on Nov 15 >(http://bugs.php.net/bug.php?id=14071), granted.. filed incorrectly. > >I'd say this is quite serious when you're a hoster who only allows PHP >in CGI mode. > >Wouter de Jong is the one who actually discovered this. > >-- >Mathieu 'CaPS_' Kooiman <[EMAIL PROTECTED]> >MAP Internet Services > > > > > > >-- >PHP Development Mailing List <http://www.php.net/> >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] >To contact the list administrators, e-mail: [EMAIL PROTECTED] -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
