PHP :: Request #7217 :: Security Problem with "include

Request #7217	Security Problem with "include_dir" configuration
Submitted:	2000-10-15 03:49 UTC	Modified:	2001-08-27 11:44 UTC
From:	afader at asqnet dot org	Assigned:
Status:	Duplicate	Package:	Feature/Change Request
PHP Version:	4.0.2	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	afader at asqnet dot org
New email:
PHP Version:		OS:

New Comment:

[2000-10-15 03:49 UTC] afader at asqnet dot org

Okay - set up a common script directory. /home/httpd/phpi
in php.ini - set include_dir = .:/home/httpd/phpi
set safe_mode on.
Put a file into the directory.  Call it "counter.inc"
make the owner of counter.inc any user and any group.
make a web page with a different user in the same group.

the web page cannot include("counter.inc"); you get a warning: SAFE MODE that uid 1 <> uid 2.

This makes it impossible to have shared php includes across multiple users.

- REQUEST -
Allow some way for SAFE MODE to ignore user matching on a selected directory (or set of directories.)  Or ignore matching for a specific userid/or/groupid on the target files???

Or, let me know what I'm doing wrong???

- Thanks -
Alexander

p.s. PHP rules ;-)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-08-27 11:44 UTC] sander@php.net

Duplicate of 8963.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed May 07 15:01:31 2025 UTC