php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #26026 Add exec_dir directive (same as safe_mode_exec_dir but without safe-mode)
Submitted: 2003-10-29 05:23 UTC Modified: 2017-01-08 06:01 UTC
Votes:8
Avg. Score:4.5 ± 0.7
Reproduced:6 of 7 (85.7%)
Same Version:4 (66.7%)
Same OS:4 (66.7%)
From: roman at compic dot ee Assigned: krakjoe (profile)
Status: Closed Package: Program Execution
PHP Version: * OS: *
Private report: No CVE-ID: None
 [2003-10-29 05:23 UTC] roman at compic dot ee
Description:
------------
By bow we have safe_mode_exec_dir
working (and good) for shared hosting, only if SAFE_MODE enabled.

But often, SAFE_MODE need to be turned off. After this
safe_mode_exec_dir is nothing. So we need to disable some funtions (system,passthru,...). But it can be done only for _ALL_ hosts. So if one host use "system()" in "safe_mode 1" to one or two special programs and happy - i can't turn SAFE_MODE 0 for other hosts. It's became realy danger - sometimes users have unsecure scripts and by using 'blah.php?f=http://somethere...' intruder can get nobody shell. Nobody shell mean - He can read mysql password in config.php or settings.php files. He also can install blindshell.

So maybe good to add 'exec_dir' variable for working in 'safe_mode 0' ?


Reproduce code:
---------------
none needed


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-09-23 13:49 UTC] derbubi at gmx dot net
A Patch for this problem is available here:
http://kyberdigi.cz/projects/execdir/english.html

This Option would be very nice, even if it decreases performance (if this decrease is optional)
 [2011-01-01 23:28 UTC] jani@php.net
-Summary: Advanced parametr, exec_dir for non SAFE_MODE +Summary: Add exec_dir directive (same as safe_mode_exec_dir but without safe-mode) -Package: Feature/Change Request +Package: Program Execution -Operating System: *nix +Operating System: * -PHP Version: 4.3.3 +PHP Version: *
 [2012-04-20 12:53 UTC] php at cabillot dot eu
To the php team : what do you think about this feature ?

Now that safe_mode is disabled, how hosting companies can protect consumers from 
themselves ?
 [2013-03-19 19:48 UTC] valentiny510 at yahoo dot es
After 10 years, with removed safe_mode, guys please just close many of old Bugs/Requests like this or simple add a new status like DEPRECATED.. or change something.. 10 Years.. cmon 

- - -

I remember a man who made an appointment with the doctor and 6-7 years after his death his widow received a letter saying that they canceled the appointment.
 [2014-01-22 17:04 UTC] jcabillot at gmail dot com
Hi,

Can the PHP Team explain why this bug is still open and not included ?

Julien
 [2017-01-08 06:01 UTC] krakjoe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2017-01-08 06:01 UTC] krakjoe@php.net
We have moved away from this kind of magical configuration setting because it has proven inadequate.

I'm closing this bug.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Dec 04 12:03:58 2022 UTC