PHP :: Bug #13060 :: "allow_url_fopen = On" disables safe

Bug #13060	"allow_url_fopen = On" disables safe_mode UID check
Submitted:	2001-08-30 11:03 UTC	Modified:	2001-10-20 19:48 UTC
From:	admin at kontent dot de	Assigned:
Status:	Closed	Package:	*Configuration Issues
PHP Version:	4.0.6	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	admin at kontent dot de
New email:
PHP Version:		OS:

New Comment:

[2001-08-30 11:03 UTC] admin at kontent dot de

When I turn off allow_url_fopen in php.ini the safe_mode UID check seems to be disabled. 

With "allow_url_fopen = on" an include("/etc/passwd") returns the following error:

"The script whose uid is 10000 is not allowed to access /etc/passwd owned by uid 0"

after I've changed the settings to "allow_url_fopen = off" the inclusion works fine, so there is no way to prevent customers from including external files and local system files.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-10-20 19:48 UTC] sniper@php.net

Can not reproduce with PHP 4.1.0 RC1

--Jani

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 13:01:31 2024 UTC