When in "safe mode" shouldn't PHP check to see if the directory that is
about to be opened with a opendir() function has the same UID as the PHP
script itself, and fail if the UIDs do not match?

Because in PHP 4.0.6 with safe_mode "on", a PHP script owned by "fred" can
open any directory owned by any other UID, so long as the directory is
under the "open_basedir".  This does not seem right to me, as it allows a
user in safe_mode to browse all the files on the entire webserver, looking
for things he might be able to peek at with a web browser.

Please advise whether this should be a bug report.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to