|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19703 safe_mode allows include-ing of http documents
Submitted: 2002-10-01 21:40 UTC Modified: 2005-01-31 22:58 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: phpbug-011002-1 at smayw dot nask dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4.2.3 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: phpbug-011002-1 at smayw dot nask dot com
New email:
PHP Version: OS:


 [2002-10-01 21:40 UTC] phpbug-011002-1 at smayw dot nask dot com
I believe PHP with safe_mode enabled should not allow include-ing of files via http:// or any other remote means, if it will not allow based on permissions and open_basedir and such.

The relevand portion of httpd.conf:

php_admin_flag safe_mode on
php_admin_value open_basedir /home/web/
php_admin_value doc_root /home/web/
php_admin_value safe_mode_exec_dir /usr/local/php/bin

test script at:

source at:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-02 00:17 UTC]
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.

 [2002-10-02 00:17 UTC]
I cannot open URLs
 [2002-10-02 11:11 UTC] phpbug-011002-1 at smayw dot nask dot com
OK, let's try this again.

The issue is that PHP in safe_mode will allow files to be 'include'-d via http:// even if it will not allow files outside of open_basedir and such.

I furthermore believe this might be dependent on cURL support being compiled in.

test code (shows safe_mode/open_basedir restrictions enforced, but allows inclusion via http://):

<? ini_set ("display_errors", "1"); 
   include "/tmp/blah.php"; 
   echo "<br>"; 
   include "/tmp/blah2.php"; 
   echo "<br>"; 
   include "" ?>

code can be viewed in action at:
code source can be viewed at:
phpinfo(); output can be viewed at:

if you need more info, let me know what you need before marking this as 'bogus' again.  thanks
 [2002-10-02 11:27 UTC]
I don't see why this is a problem. safe_mode is meant to avoid that people (who are allowed to run php scripts on a server) retrieve sensitive information from the server. In this case, the information is already 'freely' available, so it's not considered sensitive.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sat Jul 11 03:01:25 2020 UTC