PHP :: Bug #39711 :: shell_exec() fails in HTTPS mode when safe

Bug #39711	shell_exec() fails in HTTPS mode when safe_mode = off (local)
Submitted:	2006-12-02 03:26 UTC	Modified:	2006-12-02 06:31 UTC
From:	joe at neosource dot com dot au	Assigned:
Status:	Not a bug	Package:	Safe Mode/open_basedir
PHP Version:	4.4.4	OS:	Linux / Apache/2.0.52
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	joe at neosource dot com dot au
New email:
PHP Version:		OS:

New Comment:

[2006-12-02 03:26 UTC] joe at neosource dot com dot au

Description:
------------
Hi,

I have found that on PHP 4.4.4 shell_exec() fails when local safe_mode = off and master safe_mode = on - only when the script is a secure HTTPS URL. The problem does not appear in HTTP mode.

shell_exec() and other related & safe_mode affected functions fail too such as is_executable() and file_exists(), but no error or warning message is generated.

This bug caused me some grief over the past couple days as I had no idea why my sendmail script was behaving strangely as sometimes it'd work and other times it wouldn't (due to the site switching from HTTP/HTTPS mode). It wasn't an obvious bug to find, but after much debugging this is what I've found to be the cause.

I hope you guys have as much fun squishing this bug as I did  finding it ! :)

Happy to offer any assistance with reproducing / troubleshooting the bug.

Joe

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2006-12-02 03:57 UTC] joe at neosource dot com dot au

I noticed that phpinfo() shows safe_mode=on in HTTPS mode, but safe_mode=off in HTTP mode. Is there a separate safe_mode setting for HTTPS hosts ?

[2006-12-02 04:35 UTC] joe at neosource dot com dot au

Sorry guys,

The issue has now been resolved, I wasn't aware that the safe_mode setting is applied to the HTTPS and HTTP hosts separately. My ISP had warnings suppressed, so that'd probably explain why I didnt't find any error messages in the log files.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jul 03 19:01:35 2025 UTC