php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #35261 php_admin_value does not lock include_path
Submitted: 2005-11-17 14:26 UTC Modified: 2007-08-20 13:21 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: Bjorn dot Wiberg at its dot uu dot se Assigned:
Status: Closed Package: Documentation problem
PHP Version: 5CVS-2005-12-13 (cvs) OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: Bjorn dot Wiberg at its dot uu dot se
New email:
PHP Version: OS:

 

 [2005-11-17 14:26 UTC] Bjorn dot Wiberg at its dot uu dot se
Description:
------------
When include_path is set using php_admin_value in httpd.conf, it is still possible to override it in PHP scripts.

Shouldn't php_admin_value lock the value regardless of where the attempt to change it is done? (With the exception that PHP configuration directives for virtual hosts should be able to override any PHP configurations done in the main server section of httpd.conf.)

The documentation states that include_path is of type PHP_INI_ALL and can be changed from anywhere (http://www.php.net/manual/en/ini.php#ini.list), but also states that values set with php_admin_value directives cannot be overriden e.g. by virtualhost directives (http://se2.php.net/configuration.changes) -- which isn't true -- overriding php_admin_value include_path of the main server with another php_admin_value include_path in virtual host configurations works just fine!

Best regards,
Björn

Reproduce code:
---------------
httpd.conf configuration of mod_php5:

  php_admin_value include_path ".:/apache/php/lib/php"

Example PHP script:

<HTML>

  <HEAD>
    <TITLE></TITLE>
  </HEAD>

  <BODY>

    <?php
      echo('Include path is: ' . ini_get('include_path') . '<BR>');
      $result = ini_set('include_path', '.:/apache/php/lib/php:/apache/htdocs/bwiberg/php');

      if ($result === FALSE) {
        echo('ini_set returned FALSE<BR>');
      } else if (empty($result)) {
        echo('ini_set returned an empty string<BR>');
      } else {
        echo('ini_set returned ' . $result . ', include path is now: ' . ini_get('include_path') . '<BR>');
      }
    ?>

  </BODY>
</HTML>


Expected result:
----------------
Include path is: .:/apache/php/lib/php
ini_set returned FALSE
Include path is now: .:/apache/php/lib/php

..or possibly, as someone pointed out at http://www.php.net/manual/en/function.ini-set.php#19874:

Include path is: .:/apache/php/lib/php
ini_set returned an empty string
Include path is now: .:/apache/php/lib/php

Actual result:
--------------
 Include path is: .:/apache/php/lib/php
ini_set returned .:/apache/php/lib/php
Include path is now: .:/apache/php/lib/php:/apache/htdocs/bwiberg/php


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-13 15:47 UTC] sniper@php.net
You can still "change" the value, but it won't REALLY change.
 [2005-12-13 16:58 UTC] Bjorn dot Wiberg at its dot uu dot se
Hi again!

Yes, it does indeed change the setting. I have tried this when including classes in subdirectories; got "class not found" errors  when not setting the desired path(s) in my script, but worked fine when I did set the desired path(s) in my script. Although the setting should be locked by httpd.conf...

Best regards,
Bj?rn
 [2005-12-13 17:33 UTC] sniper@php.net
This indeed works even when it shouldn't..

 [2005-12-13 20:31 UTC] Bjorn dot Wiberg at its dot uu dot se
Thank you for trying this with the latest CVS version for me (recompiling, preparing and installing into the chroots on our systems takes a rather long time).

Just a quick note to tell that we're not using safe mode or open_basedir restrictions on our server, but that the php_admin_* probably should lock the settings nevertheless (so that they cannot be overridden by PHP scripts or .htaccess files).

Also a note to tell that overriding php_admin_value:s in the main server config with corresponding php_admin_value:s in vhost configurations is fine with me -- I would hate to see that possibility go away, as that is a pretty important feature for those of us doing mass virtual hosting.

Best regards,
Bj?rn
 [2005-12-13 21:25 UTC] sniper@php.net
see bug #20377
 [2005-12-13 23:07 UTC] Bjorn dot Wiberg at its dot uu dot se
Sorry to bother you again, but this ought to be pointed out in the documentation (that php_admin_value/php_admin_flag directives may be overridden by vhost configurations and ini_set in scripts but not .htaccess files) -- and also for which classes of configuration directives this applies (PHP_INI_ALL, PHP_INI_PERDIR?). Obviously the "Any directive type set with php_admin_value can not be overridden by .htaccess or virtualhost directives" statement of http://se2.php.net/configuration.changes is incorrect, as php_admin_* of the main server may very well be overridden by virtual host php_admin_* directives.

Furthermore, it seems that the feature request of bug #20377 was indeed carried out (as directives may be overridden by vhost configurations), but your comment appears to indicate that there is another bug which describes a different problem; that of ini_set() being able to override main configuration/vhost configuration php_admin_* settings. If so, do you have a bug ID for that one? (If so, then this one would be marked as a dupe of that bug, I suppose, and bug #20377 could be closed, if all the requested functionality is already available.)

Best regards,
Bj?rn
 [2005-12-13 23:13 UTC] tony2001@php.net
"Furthermore, it seems that the feature request of bug #20377 was indeed carried out"
No, it wasn't.
Status "verified" means that the report has been verified and does not mean that the feature request has been fulfilled.
Reclassified as docu problem.
 [2007-08-20 13:21 UTC] vrana@php.net
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

"Any directive type set with php_admin_* can not be overridden by .htaccess."
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Dec 04 19:01:32 2024 UTC