php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #26026 Add exec_dir directive (same as safe_mode_exec_dir but without safe-mode)
Submitted: 2003-10-29 05:23 UTC Modified: 2017-01-08 06:01 UTC
Votes:8
Avg. Score:4.5 ± 0.7
Reproduced:6 of 7 (85.7%)
Same Version:4 (66.7%)
Same OS:4 (66.7%)
From: roman at compic dot ee Assigned: krakjoe (profile)
Status: Closed Package: Program Execution
PHP Version: * OS: *
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: roman at compic dot ee
New email:
PHP Version: OS:

 

 [2003-10-29 05:23 UTC] roman at compic dot ee
Description:
------------
By bow we have safe_mode_exec_dir
working (and good) for shared hosting, only if SAFE_MODE enabled.

But often, SAFE_MODE need to be turned off. After this
safe_mode_exec_dir is nothing. So we need to disable some funtions (system,passthru,...). But it can be done only for _ALL_ hosts. So if one host use "system()" in "safe_mode 1" to one or two special programs and happy - i can't turn SAFE_MODE 0 for other hosts. It's became realy danger - sometimes users have unsecure scripts and by using 'blah.php?f=http://somethere...' intruder can get nobody shell. Nobody shell mean - He can read mysql password in config.php or settings.php files. He also can install blindshell.

So maybe good to add 'exec_dir' variable for working in 'safe_mode 0' ?


Reproduce code:
---------------
none needed


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-09-23 13:49 UTC] derbubi at gmx dot net
A Patch for this problem is available here:
http://kyberdigi.cz/projects/execdir/english.html

This Option would be very nice, even if it decreases performance (if this decrease is optional)
 [2011-01-01 23:28 UTC] jani@php.net
-Summary: Advanced parametr, exec_dir for non SAFE_MODE +Summary: Add exec_dir directive (same as safe_mode_exec_dir but without safe-mode) -Package: Feature/Change Request +Package: Program Execution -Operating System: *nix +Operating System: * -PHP Version: 4.3.3 +PHP Version: *
 [2012-04-20 12:53 UTC] php at cabillot dot eu
To the php team : what do you think about this feature ?

Now that safe_mode is disabled, how hosting companies can protect consumers from 
themselves ?
 [2013-03-19 19:48 UTC] valentiny510 at yahoo dot es
After 10 years, with removed safe_mode, guys please just close many of old Bugs/Requests like this or simple add a new status like DEPRECATED.. or change something.. 10 Years.. cmon 

- - -

I remember a man who made an appointment with the doctor and 6-7 years after his death his widow received a letter saying that they canceled the appointment.
 [2014-01-22 17:04 UTC] jcabillot at gmail dot com
Hi,

Can the PHP Team explain why this bug is still open and not included ?

Julien
 [2017-01-08 06:01 UTC] krakjoe@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: krakjoe
 [2017-01-08 06:01 UTC] krakjoe@php.net
We have moved away from this kind of magical configuration setting because it has proven inadequate.

I'm closing this bug.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 08:01:28 2024 UTC