PHP :: Request #37745 :: Include exec_dir patch in PHP distribution

Include exec_dir patch in PHP distribution

Submitted:

2006-06-08 13:28 UTC

Modified:

2017-07-25 00:26 UTC

Votes:	19
Avg. Score:	5.0 ± 0.0
Reproduced:	15 of 15 (100.0%)
Same Version:	7 (46.7%)
Same OS:	6 (40.0%)

From:

phpbugs at aa-works dot de

Assigned:

Status:

Wont fix

Package:

Program Execution

PHP Version:

5.1.4

OS:

n/a

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	phpbugs at aa-works dot de
New email:
PHP Version:		OS:

New Comment:

[2006-06-08 13:28 UTC] phpbugs at aa-works dot de

Description:
------------
PHP allows to be configured to only execute programs (with exec() type of functions) which are contained in a certain directory while running in safe mode.
There is no such configuration option for PHP not running in safe mode in the main PHP distribution but a patch to add that feature exists:
http://kyberdigi.cz/projects/execdir/english.html

Reproduce code:
---------------
n/a

Expected result:
----------------
exec_dir configuration directive being available

Actual result:
--------------
it isn't yet

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-04-20 12:54 UTC] php at cabillot dot eu

To the php team : what do you think about this feature ?

Now that safe_mode is disabled, how hosting companies can protect consumers from 
themselves ?

[2016-12-30 23:47 UTC] cmb@php.net

-Package: Feature/Change Request +Package: Program Execution

[2017-07-25 00:26 UTC] johannes@php.net

-Status: Open +Status: Wont fix

[2017-07-25 00:26 UTC] johannes@php.net

We don't have safe_mode anymore.

[2017-07-25 05:46 UTC] spam2 at rhsoft dot net

by list exec() and friends in disabled_functions like everybody qualified to host customers did the last 15 years - allowing whatever binary outside php to get called while talking about folder restrictions is naive - once that thing is started it can call exec() itself and is no longer bound to any php restrictions and that is why safe_mode was dumb from the begin especially that it enforced files to be write able by the Webserver 

others have a chrooted httpd instance per customer on a different port than 80 and a common reverse proxy in front and these days you have containers and virtualization too

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 16:01:28 2024 UTC