Not quite sure how to fix this one. It's not like we can simply check
before we open the error_log file in general, because that might be set
by the server admin, it is only if the user tries to redefine where this
error logfile should be that we want to apply the safe-mode restriction.
Even if we try to do everything in the VCWD stuff in 4.3 we will have to
keep some sort of state that tells us who provided the error
logfile pathname
-Rasmus
On 12 May 2002 [EMAIL PROTECTED] wrote:
> From: [EMAIL PROTECTED]
> Operating system: Linux 2.4.18
> PHP version: 4.2.0
> PHP Bug Type: Scripting Engine problem
> Bug description: error_log can be used to bypass safe_mode
>
> By doing ini_set('error_log', 'any_path); The user can append data to any
> file writeable by the webserver.
> --
> Edit bug report at http://bugs.php.net/?id=17168&edit=1
> --
> Fixed in CVS: http://bugs.php.net/fix.php?id=17168&r=fixedcvs
> Fixed in release: http://bugs.php.net/fix.php?id=17168&r=alreadyfixed
> Need backtrace: http://bugs.php.net/fix.php?id=17168&r=needtrace
> Try newer version: http://bugs.php.net/fix.php?id=17168&r=oldversion
> Not developer issue: http://bugs.php.net/fix.php?id=17168&r=support
> Expected behavior: http://bugs.php.net/fix.php?id=17168&r=notwrong
> Not enough info: http://bugs.php.net/fix.php?id=17168&r=notenoughinfo
> Submitted twice: http://bugs.php.net/fix.php?id=17168&r=submittedtwice
> register_globals: http://bugs.php.net/fix.php?id=17168&r=globals
>
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
