I can think of no security reason why you would want to allow anyone to display output from a command, but wouldnt want them to be able to assign that output to a variable. Can someone explain a situation where that would be useful? Arent any security concerns addressed by the safe_mode_exec_dir= directive? Is there any way to get the safety of safe mode without this seemingly backwards rule? [If I was a malicious user with the ability to upload a script, I certainly wouldnt be at all hindered by being unable to have the script itself parse the output- I'd get a seperate script to do that for me and POST the results back to the server's script just as fast.]
{The intent of this message is to find a way to circumvent this idiocy, to be noticed by a developer who will go "oops, did we leave that idiocy in?" or to be presented with an explanation for what is seemingly, idiocy. } -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php