PHP :: Bug #13447 :: Security not blocking "unlink" delete functions

Bug #13447	Security not blocking "unlink" delete functions
Submitted:	2001-09-26 04:48 UTC	Modified:	2005-01-31 23:34 UTC
From:	ajo at dpzone dot com	Assigned:
Status:	Closed	Package:	Safe Mode/open_basedir
PHP Version:	4.0.6	OS:	windows 2000
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	ajo at dpzone dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2001-09-26 04:48 UTC] ajo at dpzone dot com

Running PHP in Apache using the MODULE configuration.

Apache/1.3.14 (Win32) PHP/4.0.6 mod_ssl/2.7.2 OpenSSL/0.9.6 running.

With the following: 

php_admin_flag safe_mode on
php_admin_value open_basedir c:/pr
php_admin_value doc_root c:/pr
php_admin_value user_dir c:/pr

IT SUCCESSFULLY blocks reads in directories other than c:/pr, but it DOES NOT block unlinks (file deletion) outside. So... My users cannot read other users files, however they can delete anything they want. Very strange. I DO NOT care about it checking "UIDs" as I do not create different Users for each USER... I want to be able to restrict access to a directory and call it good. 

<?php

echo "Peace!";
//unlink ("c:/test.txt");// UNLINK WORKS (This should fail)
$fp = fopen ("c:/test.txt", "r"); // FAILS SECURITY CHECK
echo "Dude10";
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-12-19 08:43 UTC] sander@php.net

Can you try adding a trailing slash (c:/pr/), and can you try 4.1.0???

[2001-12-19 15:47 UTC] ajo at dpzone dot com

I tried both adding a trailing slash (c:/pr/), and  4.1.0

You are still able to delete a file at your choosing. It's also interesting that the following has NO EFFECT.

php_admin_value disable_functions unlink

I have been unable to disable the command also. 

I really want to get PHP setup, but I can't give global access to everyone.

[2001-12-21 03:48 UTC] derick@php.net

This is fixed in CVS now.

Derick

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 23:00:01 2025 UTC