php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #23278 safe_mode too strict at show_source()
Submitted: 2003-04-19 06:03 UTC Modified: 2003-04-21 12:33 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:1 of 2 (50.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: adrian at planetcoding dot net Assigned:
Status: Closed Package: *General Issues
PHP Version: 4.3.1 OS: SuSE Linux 8.1 w/ Confixx 2 pro
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: adrian at planetcoding dot net
New email:
PHP Version: OS:

 

 [2003-04-19 06:03 UTC] adrian at planetcoding dot net 
The safe_mode seems to be too strict when using show_source:
PHP can delete a uploaded file which is owned by the webserver, kan read it w/ fopen or readfile, can do anything with it except of show_source.
I just get the safe_mode restriction in effect... - message.
If I use fopen and highlight_string, it works fine.

./configure:
'./configure' '--prefix=/usr/share' '--bindir=/usr/bin' '--libdir=/usr/lib' '--datadir=/usr/share/php' '--includedir=/usr/include' '--with-apxs=/usr/sbin/apxs' '--enable-force-cgi-redirect' '--with-config-file-path=/etc' '--with-openssl' '--with-zlib' '--enable-bcmath' '--with-bz2' '--enable-calendar' '--with-curl' '--enable-exif' '--enable-ftp' '--with-gd' '--enable-gd-native-ttf' '--enable-gd-imgstrttf' '--with-gettext' '--with-iconv' '--enable-mbstring' '--enable-mbregex' '--with-mcal' '--with-mcrypt' '--with-mhash' '--with-ming' '--with-mysql' '--with-ncurses' '--with-pdflib' '--with-readline' '--enable-shmop' '--enable-sysvsem' '--enable-sysvshm' '--enable-wddx' '--enable-versioning' '--with-xml' '--enable-ctype' 


phpinfo: http://www.planetcoding-server.net/phpinfo.php

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2003-04-21 09:58 UTC] sniper@php.net 
Not enough information was provided for us to be able
to handle this bug. Please re-read the instructions at
http://bugs.php.net/how-to-report.php

If you can provide more information, feel free to add it
to this bug and change the status back to "Open".

Thank you for your interest in PHP.


.
 [2003-04-21 10:18 UTC] adrian at planetcoding dot net 
this code:
__________________________
		ob_start();
		show_source("files/".$version_info['version_id'].ifelse($file_info['extension'],".".$file_info['extension']));
        $source = ob_get_contents();
		ob_end_clean();
__________________________
throws this error: Warning: show_source() [function.show-source.html]: SAFE MODE Restriction in effect. The script whose uid is 641 is not allowed to access files/21.php owned by uid 30 in /home/www/web5/html/browse.php on line 240

this code (and any other file operations) works:
__________________________
		ob_start();
        $fp=fopen("files/".$version_info['version_id'].ifelse($file_info['extension'],".".$file_info['extension']),'r');
        $source = fread($fp,filesize("files/".$version_info['version_id'].ifelse($file_info['extension'],".".$file_info['extension'])));
        highlight_string($source);
        $source = ob_get_contents();
		ob_end_clean();
__________________________
 [2003-04-21 10:24 UTC] adrian at planetcoding dot net 
[status set to open again]
 [2003-04-21 10:40 UTC] adrian at planetcoding dot net 
ps: the file was uploaded via HTTP upload and moved to ./files with move_uploaded_file()
 [2003-04-21 12:33 UTC] sniper@php.net 
This bug has been fixed in CVS.

In case this was a PHP problem, snapshots of the sources are packaged
every three hours; this change will be in the next snapshot. You can
grab the snapshot at http://snaps.php.net/.
 
In case this was a documentation problem, the fix will show up soon at
http://www.php.net/manual/.

In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites in short time.
 
Thank you for the report, and for helping us make PHP better.

Now fopen() also honors the safe-mode.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat May 04 13:01:30 2024 UTC