We can check it at the ini handler level. We can either forbid modifying error_log from userspace (denying PHP_INI_USER), deny it only in safe mode, or even apply the safe mode restriction at that level.
At 00:25 13/05/2002, Rasmus Lerdorf wrote: >Not quite sure how to fix this one. It's not like we can simply check >before we open the error_log file in general, because that might be set >by the server admin, it is only if the user tries to redefine where this >error logfile should be that we want to apply the safe-mode restriction. >Even if we try to do everything in the VCWD stuff in 4.3 we will have to >keep some sort of state that tells us who provided the error >logfile pathname > >-Rasmus > >On 12 May 2002 [EMAIL PROTECTED] wrote: > > > From: [EMAIL PROTECTED] > > Operating system: Linux 2.4.18 > > PHP version: 4.2.0 > > PHP Bug Type: Scripting Engine problem > > Bug description: error_log can be used to bypass safe_mode > > > > By doing ini_set('error_log', 'any_path); The user can append data to any > > file writeable by the webserver. > > -- > > Edit bug report at http://bugs.php.net/?id=17168&edit=1 > > -- > > Fixed in CVS: http://bugs.php.net/fix.php?id=17168&r=fixedcvs > > Fixed in release: http://bugs.php.net/fix.php?id=17168&r=alreadyfixed > > Need backtrace: http://bugs.php.net/fix.php?id=17168&r=needtrace > > Try newer version: http://bugs.php.net/fix.php?id=17168&r=oldversion > > Not developer issue: http://bugs.php.net/fix.php?id=17168&r=support > > Expected behavior: http://bugs.php.net/fix.php?id=17168&r=notwrong > > Not enough info: http://bugs.php.net/fix.php?id=17168&r=notenoughinfo > > Submitted twice: http://bugs.php.net/fix.php?id=17168&r=submittedtwice > > register_globals: http://bugs.php.net/fix.php?id=17168&r=globals > > > > >-- >PHP Development Mailing List <http://www.php.net/> >To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php