Christian Ista wrote:
Hello,
I have a didecated server (linux redhat + apache 1.31.x and PHP 4.3.x).
I'd like for a specific virualhost, set the include_path and safe_mode
To do that, I did :
<Virtualhost>
.....
php_admin_value safe_mode on
php_admin_value include_path ".:/design:/home:/manager:/login:/style"
</Virtualhost>
Then I make 2 tests with a test.php page placed on this server.
1. I try in a test page, include an HTML file. This file is on another server. I have in the test page
<?php include("www.other-server.com/myfile.html ?>. In the myfile.html there is only the text
"MY TEST".
When I call test.php, I see "MY TEST".
It's not normal I thing because I include a file from outside the include_path.
Do you have an idea what's happen ?
2. I do an another include but this time from a local file (/etc/my.cnf, it's the
configuration file for MySQL, the owner is root)
With php_admin_value values in the virtual host, impossible to include even if I
specify the path of this file in the include_path. Is it normal ?
For me the most important point is the first, why is it still possible ton include a
remote file?
Regards,
Christian,
because you've got allow_url_fopen = On. safe_mode doesn't stop that.
You need to turn the allow_url_fopen Off to limit that ability...
- Tul
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
