PHP :: Doc Bug #21975 :: document safe_mode/open

Doc Bug #21975

document safe_mode/open_basedir gotchas

Submitted:

2003-01-30 21:41 UTC

Modified:

2006-01-19 16:45 UTC

Votes:	7
Avg. Score:	4.4 ± 0.5
Reproduced:	6 of 6 (100.0%)
Same Version:	3 (50.0%)
Same OS:	2 (33.3%)

From:

philip at cornado dot com

Assigned:

Status:

Closed

Package:

Documentation problem

PHP Version:

Irrelevant

OS:

Irrelevant

Private report:

CVE-ID:

None

View Add Comment Developer Edit

[2003-01-30 21:41 UTC] philip at cornado dot com

This bug report is where we list quirks, concerns, BC breaks, uses, and general gotchas that stem from either safe mode or open_basedir.  Information that everyone from sysadmin's to newbie users should know.

For example, a potential safe_mode gotcha:

  - As of PHP 4.3.0, the PHP_AUTH_* variables are NOT
    available in PHP when both an external auth mechanism
    exists and PHP is in safe mode.  Note: REMOTE_USER is
    available regardless.

There are others that belong in this bug report and eventually in the docs.  Regarding open_basedir, there is a recent (4.3.0) PHP change regarding both upload_dir and include_path but I'm not sure what they are exactly ...  hopefully this bug report will know soon ;)  And there are others.

open_basedir and safe mode are documented here:
  - phpdoc/{lang}/features/safe-mode.xml

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-04-17 20:01 UTC] moron at industrial dot org

It appears that move_uploaded_file() is either broken with 4.3.1 
or its behaviour radically changed under safe_mode.  All of a 
sudden file uploads are now failing with "open_basedir" 
restriction errors (kind of defeating the purpose of 
move_uploaded_file IMHO).  Some clarification on this issue 
would be definitely appreciated.

Cheers

[2003-05-14 07:31 UTC] nickyboy at 4ce dot co dot uk

Following an upgrade from 4.0.6 is seems that open_basedir and move_uploaded_file no longer resolve symlinks.  
Previously the scripts worked with no problem, but we've just had to update httpd.conf so the
php_admin_value open_basedir 
is now the real path rather than a symlink...

The documentation for open_basedir states:
http://www.php.net/manual/sl/features.safe-mode.php
"All symbolic links are resolved"

There is a user comment on move_file_upload but there is no formal documentation for this!  I'm guessing it's a bug rather than new behaviour, or the documentation needs a look...  

This is however a different issue from bug 21885
and that maybe worth a look first if you are getting errors mentioning the /tmp  directory!

[2003-09-10 09:11 UTC] tim at timj dot co dot uk

As noted in bug 13843, all program execution functions pass the complete command that is about to be executed to the internal equivalent of escapeshellcmd() before executing, when in safe mode.

This is a very important gotcha which doesn't appear to be documented anywhere; it should be documented on the manual page for each program execution function, and also in "Features -> Safe Mode -> Functions restricted/disabled by safe mode".

[2004-07-27 19:26 UTC] vrana@php.net

This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

Continue with listing, I just documented escapeshellcmd.

"escapeshellcmd() is executed on the argument of this function." by all exec functions restricted by safe_mode.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 16:01:28 2024 UTC