I can think of no security reason why you would want to allow anyone to 
display output from a command, but wouldnt want them to be able to assign 
that output to a variable. Can someone explain a situation where that would 
be useful? Arent any security concerns addressed by the safe_mode_exec_dir= 
directive? Is there any way to get the safety of safe mode without this 
seemingly backwards rule? [If I was a malicious user with the ability to 
upload a script, I certainly wouldnt be at all hindered by being unable to 
have the script itself parse the output- I'd get a seperate script to do that 
for me and POST the results back to the server's script just as fast.]

{The intent of this message is to find a way to circumvent this idiocy, to be 
noticed by a developer who will go "oops, did we leave that idiocy in?" or to 
be presented with an explanation for what is seemingly, idiocy. }

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to