PHP :: Bug #13060 :: "allow_url_fopen = On" disables safe

Bug #13060	"allow_url_fopen = On" disables safe_mode UID check
Submitted:	2001-08-30 11:03 UTC	Modified:	2001-10-20 19:48 UTC
From:	admin at kontent dot de	Assigned:
Status:	Closed	Package:	*Configuration Issues
PHP Version:	4.0.6	OS:	Linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	admin at kontent dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2001-08-30 11:03 UTC] admin at kontent dot de

When I turn off allow_url_fopen in php.ini the safe_mode UID check seems to be disabled. 

With "allow_url_fopen = on" an include("/etc/passwd") returns the following error:

"The script whose uid is 10000 is not allowed to access /etc/passwd owned by uid 0"

after I've changed the settings to "allow_url_fopen = off" the inclusion works fine, so there is no way to prevent customers from including external files and local system files.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-10-20 19:48 UTC] sniper@php.net

Can not reproduce with PHP 4.1.0 RC1

--Jani

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 02 13:01:30 2024 UTC