PHP :: Request #21218 :: should be able to set a list of hidden environment vars

Request #21218	should be able to set a list of hidden environment vars
Submitted:	2002-12-27 13:55 UTC	Modified:	2003-02-06 21:52 UTC
From:	ari at alienhosting dot com	Assigned:
Status:	Not a bug	Package:	Feature/Change Request
PHP Version:	4.3.0	OS:	Red Hat Linux 7.3
Private report:	No	CVE-ID:	None

View Developer Edit

[2002-12-27 13:55 UTC] ari at alienhosting dot com

Currently, safe_mode_protected_env_vars can be set to disallow setting of specific environment variables. I propose an option to set a list of environment variables (possibly with wildcards, such as SUDO_*) that are completely hidden from PHP pages, and do not show up in phpinfo() (Since you can disable environment variables, but to hide _ENV globals, you would have to disable variable listing completely, which is not always good enough). Showing certain environment settings are a huge security risk, such as SUDO_UID and SUDO_USER if apache was started using sudo, as well as PWD, PATH, SSH_CONNECTION, etc. Disabling phpinfo() is not always a possibility, since it gives a lot of useful information to users.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-12-27 14:27 UTC] philip@php.net

On a related note fwiw, even if E is removed from the variables_order directive (so that $_ENV will not exist), one can still use getenv() to access the variables.

[2002-12-27 14:36 UTC] ari at alienhosting dot com

Hm, I didn't even know you could do that. But I don't want to prevent accessing of environment variables, really just prevent access of some, or at the very least be able to only turn _ENV off for phpinfo().

[2003-02-06 21:52 UTC] iliaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

Simply make sure that these variables are not exported when the webserver is started.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Sep 03 21:00:01 2025 UTC