PHP :: Request #14071 :: 'admin-values' php.ini also for CGI-binary

'admin-values' php.ini also for CGI-binary

Submitted:

2001-11-15 13:12 UTC

Modified:

2017-10-23 00:25 UTC

Votes:	3
Avg. Score:	3.3 ± 0.5
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

maddog2k at maddog2k dot nl

Assigned:

kalle (profile)

Status:

Closed

Package:

PHP options/info functions

PHP Version:

4.0.6

OS:

Linux/FreeBSD

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	maddog2k at maddog2k dot nl
New email:
PHP Version:		OS:

New Comment:

[2001-11-15 13:12 UTC] maddog2k at maddog2k dot nl

The problem I ran into while using PHP as CGI-binary under for example Apache instead of mod_php, is that you can't simply allow restrictive overrides of certain values.

If you for example put a 'php.ini' file in a directory, PHP will read that file...completely ignoring the /usr/local/lib/php.ini

Let's say we have a malicious user who wants to upload files of 100MB, he could simply do that by allowing this in his 'own' php.ini (post_max_size). I don't think this is a wanted situation.

The restriction I'm using now (thanks to Mathieu), is by an edited php_ini.c that reads only the php.ini from PHP_CONFIG_FILE_PATH. 

Why not using the same guidelines as with the ini_set() function ? Or an option in the 'default' .ini, to turn this behaviour on...:))

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2003-01-10 04:51 UTC] maddog2k at maddog2k dot nl

Guess I'm the only one who'd like this behaviour :)

[2010-12-03 17:49 UTC] jani@php.net

-Package: Feature/Change Request +Package: PHP options/info functions

[2017-10-23 00:25 UTC] kalle@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: kalle

[2017-10-23 00:25 UTC] kalle@php.net

I'm not sure at what point the php-cgi -c option was introduced, but it seems more reasonable to simply supply the CGI SAPI of PHP with a specific php.ini file using php-cgi -c /path/to/php.ini

Please re-open if this still is an issue with PHP7

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue May 06 02:01:28 2025 UTC