PHP :: Request #43822 :: Allow ini_set('include_path', ??) even when php_admin_value include

Allow ini_set('include_path', ??) even when php_admin_value include_path is set

Submitted:

2008-01-11 20:55 UTC

Modified:

2011-04-08 21:32 UTC

Votes:	6
Avg. Score:	4.3 ± 0.9
Reproduced:	5 of 5 (100.0%)
Same Version:	3 (60.0%)
Same OS:	0 (0.0%)

From:

birne at 007mail dot de

Assigned:

Status:

Open

Package:

PHP options/info functions

PHP Version:

5.2.5

OS:

Ubuntu Linux 7.10

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	birne at 007mail dot de
New email:
PHP Version:		OS:

New Comment:

[2008-01-11 20:55 UTC] birne at 007mail dot de

Description:
------------
After the patch for #41561 was applied, ini_set() could no longer overwrite any configuration value that was previously defined using php_admin_*. 

In #43598 sniper wrote: php_admin_* is supposed to make any such option unusable by anybody in any script. And it's meant for hosting companies.

I agree, that in a hosting environment no customer should be able to overwrite configuration like open_basedir. But there is no harm in allowing the customer to change include_path; on the contrary is it of great use for the customer to add his own libraries.

Before the #41561 patch was applied, this was already possible for years and that was no bug, because overwriting open_basedir was not possible at all.

I suggest to define another "Changeable" scope (see http://php.net/manual/en/ini.php) for configuration values like "PHP_INI_OVERWRITEABLE" wich behaves like "PHP_INI_ALL" but in addition to that can be overwritten using ini_set() even when previously defined using php_admin_*. The inlude_path would be one of the new PHP_INI_OVERWRITEABLE directives, additional harmless ones must be defined.

Please make sure to properly document that change - the new behavior of the patch for #41561 is still not documented anywhere (or I did not find it..)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-01-11 21:59 UTC] derick@php.net

I think you can use set_include_path() for this: http://no.php.net/manual/en/function.set-include-path.php

[2009-03-20 13:13 UTC] derernst at gmx dot ch

Using set_include_path() instead of ini_set('include_path') does not seem to make a difference.

I consider this change, that disables setting the include_path at runtime, a severe backwards compatibility break. For example it can make an application that relies on a manual PEAR installation unuseable. This is a problem specially in shared hosting environments, where you usually can't control the server configuration.

[2010-06-10 13:09 UTC] jo at feuersee dot de

PHP 5.3.2
As derernst corretly stated, using set_include_path() instead of ini_set() 
does not make any difference.
This behavior doesn't add any security (as you can still include files 
anywhere as long as open_basedir allows it), but limits convenience (eg. 
adding a framework, writing custom autoloader functions, ...)

[2011-04-08 21:32 UTC] jani@php.net

-Package: Feature/Change Request +Package: PHP options/info functions

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 17:01:32 2024 UTC