|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #26026 Add exec_dir directive (same as safe_mode_exec_dir but without safe-mode)
Submitted: 2003-10-29 05:23 UTC Modified: 2017-01-08 06:01 UTC
Avg. Score:4.5 ± 0.7
Reproduced:6 of 7 (85.7%)
Same Version:4 (66.7%)
Same OS:4 (66.7%)
From: roman at compic dot ee Assigned: krakjoe (profile)
Status: Closed Package: Program Execution
PHP Version: * OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: roman at compic dot ee
New email:
PHP Version: OS:


 [2003-10-29 05:23 UTC] roman at compic dot ee
By bow we have safe_mode_exec_dir
working (and good) for shared hosting, only if SAFE_MODE enabled.

But often, SAFE_MODE need to be turned off. After this
safe_mode_exec_dir is nothing. So we need to disable some funtions (system,passthru,...). But it can be done only for _ALL_ hosts. So if one host use "system()" in "safe_mode 1" to one or two special programs and happy - i can't turn SAFE_MODE 0 for other hosts. It's became realy danger - sometimes users have unsecure scripts and by using 'blah.php?f=http://somethere...' intruder can get nobody shell. Nobody shell mean - He can read mysql password in config.php or settings.php files. He also can install blindshell.

So maybe good to add 'exec_dir' variable for working in 'safe_mode 0' ?

Reproduce code:
none needed


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-09-23 13:49 UTC] derbubi at gmx dot net
A Patch for this problem is available here:

This Option would be very nice, even if it decreases performance (if this decrease is optional)
 [2011-01-01 23:28 UTC]
-Summary: Advanced parametr, exec_dir for non SAFE_MODE +Summary: Add exec_dir directive (same as safe_mode_exec_dir but without safe-mode) -Package: Feature/Change Request +Package: Program Execution -Operating System: *nix +Operating System: * -PHP Version: 4.3.3 +PHP Version: *
 [2012-04-20 12:53 UTC] php at cabillot dot eu
To the php team : what do you think about this feature ?

Now that safe_mode is disabled, how hosting companies can protect consumers from 
themselves ?
 [2013-03-19 19:48 UTC] valentiny510 at yahoo dot es
After 10 years, with removed safe_mode, guys please just close many of old Bugs/Requests like this or simple add a new status like DEPRECATED.. or change something.. 10 Years.. cmon 

- - -

I remember a man who made an appointment with the doctor and 6-7 years after his death his widow received a letter saying that they canceled the appointment.
 [2014-01-22 17:04 UTC] jcabillot at gmail dot com

Can the PHP Team explain why this bug is still open and not included ?

 [2017-01-08 06:01 UTC]
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2017-01-08 06:01 UTC]
We have moved away from this kind of magical configuration setting because it has proven inadequate.

I'm closing this bug.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jun 18 00:01:32 2024 UTC