But those are APACHE directives. What I'm looking for is finer-grained control over what php_flag lines will be accepted.
A quick test wrapped in a <Directory> APPEARS not to be at risk, but I'd rather get confirmation of this before I rely on it. Can someone confirm that mod_php4 will not allow safe_mode and open_basedir to be altered by php_flag lines in .htaccess files? Thanks. On Thu, Jul 17, 2003 at 07:19:19AM -0700, Mark wrote: > > http://httpd.apache.org/docs-2.1/mod/core.html#allowoverride > > You can indicate which directives can be overrriden, and which > cannot. > > --- Paul Chvostek <[EMAIL PROTECTED]> wrote: > > On Thu, Jul 17, 2003 at 01:56:57PM +0800, Jason Wong wrote: > > > > > > > > gets the error "php_flag not allowed here". I see from the > > comments at > > > > http://www.php.net/register_globals that I need AllowOverride > > Options to > > > > make that function ... but is it possible to have fine-grained > > enough an > > > > AllowOverride statement that only register_globals can be > > changed? > > > > > > > > I wouldn't want a user to use his .htaccess file to turn off > > safe_mode > > > > or open_basedir. > > > > > > Take control of the setting yourself by setting it httpd.conf, > > inside the > > > container of the virtual host in question. > > > > Not so easy with mod_vhost_alias, given that I want it to apply > > only to > > certain users, and possibly only for directories for those users. > > > > The .htaccess solution is the right one unless "AllowOverride > > Options" > > allowed the user to turn off safe_mode and open_basedir. I don't > > have a > > non-production machine to test it on at the moment. > > > > Any idea how I give the user local register_globals control without > > also > > letting them alter the other php.ini options? -- Paul Chvostek <[EMAIL PROTECTED]> Operations / Abuse / Whatever it.canada, hosting and development http://www.it.ca/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
