[PHP-DEV] Bug #15018 Updated: readdir() not affected by safe_mode

Sun, 13 Jan 2002 11:47:58 -0800 

ID: 15018
Updated by: rasmus
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Bogus
Bug Type: Feature/Change Request
Operating System: Debian Linux
PHP Version: 4.1.0
New Comment:

Like I mentioned on the mailing list, opendir() is the function that
would be relevant here.  It is analogous to saying that mysql_query()
should block you from accessing data in a database as opposed to this
access restriction being placed on the mysql_connect() call.  If the
perms on the dir are such that opendir() can read the directory under
safe-mode, then readdir() is going to give you a list of the files in
that dir.
Whether you can actually open and read those individual files
themselves is of course another issue and any such access would be
subject to a safe-mode check.  But an individual readdir() call does
not have any safe-mode implications.


Previous Comments:
------------------------------------------------------------------------

[2002-01-13 14:43:21] [EMAIL PROTECTED]

I hope this is not just a configuration problem. We have safe_mode
turned on and all file-system functions ARE limited by safe_mode - only
readdir() doesn't seem to be. Would anyone mind to have a look at this?
I have provided a sample script so it shouldn't take long to test it
with your configuration:

----------------------------------
<?php

function list_dir($dir) {
  $h = @opendir($dir);

  if(!$h)
    return false;

  while($e = readdir($h)) {
    $p = $dir . '/' . $e;

    if($p != '.' && $p != '..')
      if(is_dir($p))
        echo '[DIR] ', $e, "<br>\n";
      else
        echo $e, "<br>\n";
  }

  closedir($h);
}

list_dir($QUERY_STRING);

?>
----------------------------------

just save this file as for example "dir.php" and run with

dir.php?/home/customer/

to list contents. I looked at the release announcement of 4.1.1 and
there was no description of this bug:

  http://www.php.net/release_4_1_1.php

I also looked through the existing bug database and found nothing about
it. Excuse me if it's a dupe or even a bogus.

Kind Regards,
  Daniel Lorch
  http://daniel.lorch.cc/

------------------------------------------------------------------------



Edit this bug report at http://bugs.php.net/?id=15018&edit=1


-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to