PHP :: Bug #17157 :: fopen can bypass safe

Bug #17157	fopen can bypass safe_mode
Submitted:	2002-05-11 15:51 UTC	Modified:	2002-06-18 19:59 UTC
From:	ilia at prohost dot org	Assigned:
Status:	Closed	Package:	Scripting Engine problem
PHP Version:	4.2.0	OS:	Linux 2.4.18
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ilia at prohost dot org
New email:
PHP Version:		OS:

New Comment:

[2002-05-11 15:51 UTC] ilia at prohost dot org

If a readfile() function is passed 3rd parameter, which normally indicated that the file should be opened from the "include_path", it can by pass safe_mode limitations.

ex.

<?php
fpassthru(fopen("/etc/passwd", "r", 1));
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-05-11 16:01 UTC] rasmus@php.net

Same bug as 17156 - fixed in CVS

[2002-06-18 19:59 UTC] sniper@php.net

This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Dec 06 05:00:02 2025 UTC