>
> > > That's not really a PHP issue. Many ISP's turn off cgi-bin access so
> > > in those cases that won't work.
> >
> > Cerainly some ISPs do that, but most do offer cgi-bin directories in
> > addition to PHP, because many of their customers rely on perl/c etc..
> > scripts that can be run via cgi-bin.
>
> And in that case you can also write cgi-bin programs in PHP then. What's
> your point?
Why do that since php-cgi will still try to read the php.ini and follow
safe_mode. It is easier to write a perl script suid it to the user and have
it do whatever you want. The only thing accomplished is 1 upset developer and
webhost who thinks he is "secure" because they turned on php's "security"
feature.
>
> > Sure here is just 1 example:
> >
> > Current directory is "/home/user/dir1/dir2/"
> > mkdir("/home/user/dir1/dir2/dir3") fails (Safe Mode Error)
> > mkdir("dir3") works fine
> >
> > This has been replicated with PHP 4.2.0 on 2 servers I've tried this on.
>
> Did you file a bug report? I can't replicate this on my server. Do you
> have symlinks, nfs or something else involved?
Yeah I had directories symlinked, although permissions on the directories were
fine. I'll post a bug report once I have more exact data.
>
> > There are numerous and untold ways to cause PHP to eat up the cpu or to
> > crash the child, more then a few ways were posted on this list. That was
> > just the simplest example I could show.
>
> Yes, but safe_mode guards against one user getting at another's user's
> data. So again, I fail to see your point here.
No offence but this bullshit.
On a system with safe_mode
<?php
show_source("/etc/passwd");
?>
Works!! What data did you protect?!
Ilia
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
