PHP :: Bug #19703 :: safe_mode allows include-ing of http documents

Bug #19703

safe_mode allows include-ing of http documents

Submitted:

2002-10-01 21:40 UTC

Modified:

2005-01-31 22:58 UTC

Votes:	2
Avg. Score:	5.0 ± 0.0
Reproduced:	2 of 2 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

phpbug-011002-1 at smayw dot nask dot com

Assigned:

Status:

Not a bug

Package:

Safe Mode/open_basedir

PHP Version:

4.2.3

OS:

Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	phpbug-011002-1 at smayw dot nask dot com
New email:
PHP Version:		OS:

New Comment:

[2002-10-01 21:40 UTC] phpbug-011002-1 at smayw dot nask dot com

I believe PHP with safe_mode enabled should not allow include-ing of files via http:// or any other remote means, if it will not allow based on permissions and open_basedir and such.

The relevand portion of httpd.conf:

php_admin_flag safe_mode on
php_admin_value open_basedir /home/web/www.tras.pl/
php_admin_value doc_root /home/web/www.tras.pl/www/
php_admin_value safe_mode_exec_dir /usr/local/php/bin

test script at:

http://www.tras.pl/test-safe.php

source at:

http://www.tras.pl/test-safe.txt

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-10-02 00:17 UTC] yohgaki@php.net

Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.

[2002-10-02 00:17 UTC] yohgaki@php.net

I cannot open URLs

[2002-10-02 11:11 UTC] phpbug-011002-1 at smayw dot nask dot com

OK, let's try this again.

The issue is that PHP in safe_mode will allow files to be 'include'-d via http:// even if it will not allow files outside of open_basedir and such.

I furthermore believe this might be dependent on cURL support being compiled in.

test code (shows safe_mode/open_basedir restrictions enforced, but allows inclusion via http://):

<? ini_set ("display_errors", "1"); 
   include "/tmp/blah.php"; 
   echo "<br>"; 
   include "/tmp/blah2.php"; 
   echo "<br>"; 
   include "http://www.tras.pl/test.txt" ?>

code can be viewed in action at:
	http://www.tras.pl/test-safe.php
code source can be viewed at:
	http://www.tras.pl/test-safe.txt
phpinfo(); output can be viewed at:
	http://www.tras.pl/phpinfo.php

if you need more info, let me know what you need before marking this as 'bogus' again.  thanks

[2002-10-02 11:27 UTC] sander@php.net

I don't see why this is a problem. safe_mode is meant to avoid that people (who are allowed to run php scripts on a server) retrieve sensitive information from the server. In this case, the information is already 'freely' available, so it's not considered sensitive.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 12:01:30 2024 UTC