I can think of no security reason why you would want to allow anyone to
display output from a command, but wouldnt want them to be able to assign
that output to a variable. Can someone explain a situation where that would
be useful? Arent any security concerns addressed by the safe_mode_exec_dir=
directive? Is there any way to get the safety of safe mode without this
seemingly backwards rule? [If I was a malicious user with the ability to
upload a script, I certainly wouldnt be at all hindered by being unable to
have the script itself parse the output- I'd get a seperate script to do that
for me and POST the results back to the server's script just as fast.]
{The intent of this message is to find a way to circumvent this idiocy, to be
noticed by a developer who will go "oops, did we leave that idiocy in?" or to
be presented with an explanation for what is seemingly, idiocy. }
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
