php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #19703 safe_mode allows include-ing of http documents
Submitted: 2002-10-01 21:40 UTC Modified: 2005-01-31 22:58 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: phpbug-011002-1 at smayw dot nask dot com Assigned:
Status: Not a bug Package: Safe Mode/open_basedir
PHP Version: 4.2.3 OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: phpbug-011002-1 at smayw dot nask dot com
New email:
PHP Version: OS:

 

 [2002-10-01 21:40 UTC] phpbug-011002-1 at smayw dot nask dot com 
I believe PHP with safe_mode enabled should not allow include-ing of files via http:// or any other remote means, if it will not allow based on permissions and open_basedir and such.

The relevand portion of httpd.conf:

php_admin_flag safe_mode on
php_admin_value open_basedir /home/web/www.tras.pl/
php_admin_value doc_root /home/web/www.tras.pl/www/
php_admin_value safe_mode_exec_dir /usr/local/php/bin

test script at:

http://www.tras.pl/test-safe.php

source at:

http://www.tras.pl/test-safe.txt

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-10-02 00:17 UTC] yohgaki@php.net 
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.
 [2002-10-02 00:17 UTC] yohgaki@php.net 
I cannot open URLs
 [2002-10-02 11:11 UTC] phpbug-011002-1 at smayw dot nask dot com 
OK, let's try this again.

The issue is that PHP in safe_mode will allow files to be 'include'-d via http:// even if it will not allow files outside of open_basedir and such.

I furthermore believe this might be dependent on cURL support being compiled in.

test code (shows safe_mode/open_basedir restrictions enforced, but allows inclusion via http://):

<? ini_set ("display_errors", "1"); 
   include "/tmp/blah.php"; 
   echo "<br>"; 
   include "/tmp/blah2.php"; 
   echo "<br>"; 
   include "http://www.tras.pl/test.txt" ?>

code can be viewed in action at:
	http://www.tras.pl/test-safe.php
code source can be viewed at:
	http://www.tras.pl/test-safe.txt
phpinfo(); output can be viewed at:
	http://www.tras.pl/phpinfo.php

if you need more info, let me know what you need before marking this as 'bogus' again.  thanks
 [2002-10-02 11:27 UTC] sander@php.net 
I don't see why this is a problem. safe_mode is meant to avoid that people (who are allowed to run php scripts on a server) retrieve sensitive information from the server. In this case, the information is already 'freely' available, so it's not considered sensitive.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Apr 16 13:01:30 2024 UTC