[PHP-DEV] Bug #13447 Updated: Security not blocking "unlink" delete functions

Fri, 21 Dec 2001 00:46:59 -0800 

ID: 13447
Updated by: derick
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Closed
Bug Type: Filesystem function related
Operating System: windows 2000
PHP Version: 4.0.6
New Comment:

This is fixed in CVS now.

Derick

Previous Comments:
------------------------------------------------------------------------

[2001-12-19 15:47:51] [EMAIL PROTECTED]

I tried both adding a trailing slash (c:/pr/), and  4.1.0

You are still able to delete a file at your choosing. It's also interesting that the 
following has NO EFFECT.

php_admin_value disable_functions unlink

I have been unable to disable the command also. 

I really want to get PHP setup, but I can't give global access to everyone.

------------------------------------------------------------------------

[2001-12-19 08:43:14] [EMAIL PROTECTED]

Can you try adding a trailing slash (c:/pr/), and can you try 4.1.0???

------------------------------------------------------------------------

[2001-09-26 04:48:28] [EMAIL PROTECTED]

Running PHP in Apache using the MODULE configuration.

Apache/1.3.14 (Win32) PHP/4.0.6 mod_ssl/2.7.2 OpenSSL/0.9.6 running.

With the following: 

php_admin_flag safe_mode on
php_admin_value open_basedir c:/pr
php_admin_value doc_root c:/pr
php_admin_value user_dir c:/pr

IT SUCCESSFULLY blocks reads in directories other than c:/pr, but it DOES NOT block 
unlinks (file deletion) outside. So... My users cannot read other users files, however 
they can delete anything they want. Very strange. I DO NOT care about it checking 
"UIDs" as I do not create different Users for each USER... I want to be able to 
restrict access to a directory and call it good. 

<?php

echo "Peace!";
//unlink ("c:/test.txt");// UNLINK WORKS (This should fail)
$fp = fopen ("c:/test.txt", "r"); // FAILS SECURITY CHECK
echo "Dude10";
?>

------------------------------------------------------------------------



Edit this bug report at http://bugs.php.net/?id=13447&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to