PHP :: Request #7217 :: Security Problem with "include

Request #7217	Security Problem with "include_dir" configuration
Submitted:	2000-10-15 03:49 UTC	Modified:	2001-08-27 11:44 UTC
From:	afader at asqnet dot org	Assigned:
Status:	Duplicate	Package:	Feature/Change Request
PHP Version:	4.0.2	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 29 + 5 = ?
Subscribe to this entry?

[2000-10-15 03:49 UTC] afader at asqnet dot org

Okay - set up a common script directory. /home/httpd/phpi
in php.ini - set include_dir = .:/home/httpd/phpi
set safe_mode on.
Put a file into the directory.  Call it "counter.inc"
make the owner of counter.inc any user and any group.
make a web page with a different user in the same group.

the web page cannot include("counter.inc"); you get a warning: SAFE MODE that uid 1 <> uid 2.

This makes it impossible to have shared php includes across multiple users.

- REQUEST -
Allow some way for SAFE MODE to ignore user matching on a selected directory (or set of directories.)  Or ignore matching for a specific userid/or/groupid on the target files???

Or, let me know what I'm doing wrong???

- Thanks -
Alexander

p.s. PHP rules ;-)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-08-27 11:44 UTC] sander@php.net

Duplicate of 8963.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 12:00:01 2025 UTC