php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19703 safe_mode allows include-ing of http documents
Submitted: 2002-10-01 21:40 UTC Modified: 2005-01-31 22:58 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: phpbug-011002-1 at smayw dot nask dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4.2.3 OS: Linux
Private report: No CVE-ID: None
 [2002-10-01 21:40 UTC] phpbug-011002-1 at smayw dot nask dot com
I believe PHP with safe_mode enabled should not allow include-ing of files via http:// or any other remote means, if it will not allow based on permissions and open_basedir and such.

The relevand portion of httpd.conf:

php_admin_flag safe_mode on
php_admin_value open_basedir /home/web/www.tras.pl/
php_admin_value doc_root /home/web/www.tras.pl/www/
php_admin_value safe_mode_exec_dir /usr/local/php/bin

test script at:

http://www.tras.pl/test-safe.php

source at:

http://www.tras.pl/test-safe.txt

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-02 00:17 UTC] yohgaki@php.net
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.

 [2002-10-02 00:17 UTC] yohgaki@php.net
I cannot open URLs
 [2002-10-02 11:11 UTC] phpbug-011002-1 at smayw dot nask dot com
OK, let's try this again.

The issue is that PHP in safe_mode will allow files to be 'include'-d via http:// even if it will not allow files outside of open_basedir and such.

I furthermore believe this might be dependent on cURL support being compiled in.

test code (shows safe_mode/open_basedir restrictions enforced, but allows inclusion via http://):

<? ini_set ("display_errors", "1"); 
   include "/tmp/blah.php"; 
   echo "<br>"; 
   include "/tmp/blah2.php"; 
   echo "<br>"; 
   include "http://www.tras.pl/test.txt" ?>

code can be viewed in action at:
	http://www.tras.pl/test-safe.php
code source can be viewed at:
	http://www.tras.pl/test-safe.txt
phpinfo(); output can be viewed at:
	http://www.tras.pl/phpinfo.php

if you need more info, let me know what you need before marking this as 'bogus' again.  thanks
 [2002-10-02 11:27 UTC] sander@php.net
I don't see why this is a problem. safe_mode is meant to avoid that people (who are allowed to run php scripts on a server) retrieve sensitive information from the server. In this case, the information is already 'freely' available, so it's not considered sensitive.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Thu Sep 19 11:01:36 2019 UTC