php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #11549 open_basedir/include_path security improvement
Submitted: 2001-06-19 03:35 UTC Modified: 2010-12-31 20:21 UTC
From: david at ols dot es Assigned: jani (profile)
Status: Closed Package: *General Issues
PHP Version: 4.0.5 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: david at ols dot es
New email:
PHP Version: OS:

 

 [2001-06-19 03:35 UTC] david at ols dot es 
As for now, when in safe mode include_path will not work correctly
unless all included paths are also in open_basedir, so there is no way
to stop users to read files from include_path. 

It will be useful to restrict include_path to only include and require
just by not including those paths also in open_basedir. This will
also require some configuration options to avoid defining include_path
in .htaccess files and the use of include_path in fopen functions.

This way you could store critical information (like db passwords) in
included files allowing users to use functions defined in that files but
without allowing them to read the real code.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-12-31 20:21 UTC] jani@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: jani
 [2010-12-31 20:21 UTC] jani@php.net 
All of described is implemented in some ways, if you still think it's not, please give proper example of what you want to achieve.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri May 17 11:01:34 2024 UTC