PHP :: Bug #17169 :: include_path allows bypass of safe

Bug #17169	include_path allows bypass of safe_mode
Submitted:	2002-05-12 19:16 UTC	Modified:	2002-07-16 09:34 UTC
From:	ilia at prohost dot org	Assigned:
Status:	Closed	Package:	Performance problem
PHP Version:	4.2.0	OS:	Linux 2.4.18
Private report:	No	CVE-ID:	None

View Developer Edit

[2002-05-12 19:16 UTC] ilia at prohost dot org

By setting include_path setting to any directory readable to the webserver it is possible to read files from the directory regardless of safe_mode limitations.

Ex.
<?php
      ini_set('include_path', '/etc/');
      include('passwd');
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-05-13 03:35 UTC] sitnikov at infonet dot ee

I has test this on 4.1.2 & 4.2.0 and it not work for me.

[2002-05-20 12:42 UTC] mfischer@php.net

Is this still an issue or just a configuraion/whatever problem?

[2002-07-16 09:34 UTC] jflemer@php.net

Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Works in 4.2.1. Put an
echo "Safe mode: " . ini_get('safe_mode');
in there, and make sure the script isn't owned by the same user as /etc/passwd.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Dec 02 11:00:01 2025 UTC