php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #43822 Allow ini_set('include_path', ??) even when php_admin_value include_path is set
Submitted: 2008-01-11 20:55 UTC Modified: 2011-04-08 21:32 UTC
Votes:6
Avg. Score:4.3 ± 0.9
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:0 (0.0%)
From: birne at 007mail dot de Assigned:
Status: Open Package: PHP options/info functions
PHP Version: 5.2.5 OS: Ubuntu Linux 7.10
Private report: No CVE-ID: None
 [2008-01-11 20:55 UTC] birne at 007mail dot de
Description:
------------
After the patch for #41561 was applied, ini_set() could no longer overwrite any configuration value that was previously defined using php_admin_*. 

In #43598 sniper wrote: php_admin_* is supposed to make any such option unusable by anybody in any script. And it's meant for hosting companies.

I agree, that in a hosting environment no customer should be able to overwrite configuration like open_basedir. But there is no harm in allowing the customer to change include_path; on the contrary is it of great use for the customer to add his own libraries.

Before the #41561 patch was applied, this was already possible for years and that was no bug, because overwriting open_basedir was not possible at all.

I suggest to define another "Changeable" scope (see http://php.net/manual/en/ini.php) for configuration values like "PHP_INI_OVERWRITEABLE" wich behaves like "PHP_INI_ALL" but in addition to that can be overwritten using ini_set() even when previously defined using php_admin_*. The inlude_path would be one of the new PHP_INI_OVERWRITEABLE directives, additional harmless ones must be defined.

Please make sure to properly document that change - the new behavior of the patch for #41561 is still not documented anywhere (or I did not find it..)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-01-11 21:59 UTC] derick@php.net
I think you can use set_include_path() for this: http://no.php.net/manual/en/function.set-include-path.php
 [2009-03-20 13:13 UTC] derernst at gmx dot ch
Using set_include_path() instead of ini_set('include_path') does not seem to make a difference.

I consider this change, that disables setting the include_path at runtime, a severe backwards compatibility break. For example it can make an application that relies on a manual PEAR installation unuseable. This is a problem specially in shared hosting environments, where you usually can't control the server configuration.
 [2010-06-10 13:09 UTC] jo at feuersee dot de
PHP 5.3.2
As derernst corretly stated, using set_include_path() instead of ini_set() 
does not make any difference.
This behavior doesn't add any security (as you can still include files 
anywhere as long as open_basedir allows it), but limits convenience (eg. 
adding a framework, writing custom autoloader functions, ...)
 [2011-04-08 21:32 UTC] jani@php.net
-Package: Feature/Change Request +Package: PHP options/info functions
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Nov 13 06:01:32 2024 UTC