|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #19703 safe_mode allows include-ing of http documents
Submitted: 2002-10-01 21:40 UTC Modified: 2005-01-31 22:58 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: phpbug-011002-1 at smayw dot nask dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4.2.3 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: phpbug-011002-1 at smayw dot nask dot com
New email:
PHP Version: OS:


 [2002-10-01 21:40 UTC] phpbug-011002-1 at smayw dot nask dot com
I believe PHP with safe_mode enabled should not allow include-ing of files via http:// or any other remote means, if it will not allow based on permissions and open_basedir and such.

The relevand portion of httpd.conf:

php_admin_flag safe_mode on
php_admin_value open_basedir /home/web/
php_admin_value doc_root /home/web/
php_admin_value safe_mode_exec_dir /usr/local/php/bin

test script at:

source at:


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-02 00:17 UTC]
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.

 [2002-10-02 00:17 UTC]
I cannot open URLs
 [2002-10-02 11:11 UTC] phpbug-011002-1 at smayw dot nask dot com
OK, let's try this again.

The issue is that PHP in safe_mode will allow files to be 'include'-d via http:// even if it will not allow files outside of open_basedir and such.

I furthermore believe this might be dependent on cURL support being compiled in.

test code (shows safe_mode/open_basedir restrictions enforced, but allows inclusion via http://):

<? ini_set ("display_errors", "1"); 
   include "/tmp/blah.php"; 
   echo "<br>"; 
   include "/tmp/blah2.php"; 
   echo "<br>"; 
   include "" ?>

code can be viewed in action at:
code source can be viewed at:
phpinfo(); output can be viewed at:

if you need more info, let me know what you need before marking this as 'bogus' again.  thanks
 [2002-10-02 11:27 UTC]
I don't see why this is a problem. safe_mode is meant to avoid that people (who are allowed to run php scripts on a server) retrieve sensitive information from the server. In this case, the information is already 'freely' available, so it's not considered sensitive.
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Jun 03 13:01:25 2020 UTC