PHP :: Bug #13447 :: Security not blocking "unlink" delete functions

Bug #13447	Security not blocking "unlink" delete functions
Submitted:	2001-09-26 04:48 UTC	Modified:	2005-01-31 23:34 UTC
From:	ajo at dpzone dot com	Assigned:
Status:	Closed	Package:	Safe Mode/open_basedir
PHP Version:	4.0.6	OS:	windows 2000
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ajo at dpzone dot com
New email:
PHP Version:		OS:

New Comment:

[2001-09-26 04:48 UTC] ajo at dpzone dot com

Running PHP in Apache using the MODULE configuration.

Apache/1.3.14 (Win32) PHP/4.0.6 mod_ssl/2.7.2 OpenSSL/0.9.6 running.

With the following: 

php_admin_flag safe_mode on
php_admin_value open_basedir c:/pr
php_admin_value doc_root c:/pr
php_admin_value user_dir c:/pr

IT SUCCESSFULLY blocks reads in directories other than c:/pr, but it DOES NOT block unlinks (file deletion) outside. So... My users cannot read other users files, however they can delete anything they want. Very strange. I DO NOT care about it checking "UIDs" as I do not create different Users for each USER... I want to be able to restrict access to a directory and call it good. 

<?php

echo "Peace!";
//unlink ("c:/test.txt");// UNLINK WORKS (This should fail)
$fp = fopen ("c:/test.txt", "r"); // FAILS SECURITY CHECK
echo "Dude10";
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-12-19 08:43 UTC] sander@php.net

Can you try adding a trailing slash (c:/pr/), and can you try 4.1.0???

[2001-12-19 15:47 UTC] ajo at dpzone dot com

I tried both adding a trailing slash (c:/pr/), and  4.1.0

You are still able to delete a file at your choosing. It's also interesting that the following has NO EFFECT.

php_admin_value disable_functions unlink

I have been unable to disable the command also. 

I really want to get PHP setup, but I can't give global access to everyone.

[2001-12-21 03:48 UTC] derick@php.net

This is fixed in CVS now.

Derick

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun Jan 05 03:01:28 2025 UTC