Hi again,

I believe it should disallow openning a directory in safe mode if the UID
of the directory does not match the UID of the PHP script.

That is exactly the behavior of fopen() in safe mode.

Without that behavior, users are permitted to write a PHP script that lets
them crawl around the webserver seeing things they have no rights to see.

It happens on our system that there will never be any files owned by
user A under a directory owned by user B. But even if there were, I think
safe mode should disallow this type of filesystem reading.

Do you think the fact that this file reading is permitted is a bug that
should be reported?


> It works like user/group permission as you
> know. I don't know what you want to protect :)
> Do you mean a script with "opendir()" shouldn't allow openning any
> directory under "open_basedir" if UID does not match?
> You can protect file basis, why do you need other protection for
> directories under open_basedir? Do you have good reason for this?
> --
> Yasuo Ohgaki

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to