PHP :: Request #43822 :: Allow ini_set('include_path', ??) even when php_admin_value include

Allow ini_set('include_path', ??) even when php_admin_value include_path is set

Submitted:

2008-01-11 20:55 UTC

Modified:

2011-04-08 21:32 UTC

Votes:	6
Avg. Score:	4.3 ± 0.9
Reproduced:	5 of 5 (100.0%)
Same Version:	3 (60.0%)
Same OS:	0 (0.0%)

From:

birne at 007mail dot de

Assigned:

Status:

Open

Package:

PHP options/info functions

PHP Version:

5.2.5

OS:

Ubuntu Linux 7.10

Private report:

CVE-ID:

None

View Developer Edit

[2008-01-11 20:55 UTC] birne at 007mail dot de

Description:
------------
After the patch for #41561 was applied, ini_set() could no longer overwrite any configuration value that was previously defined using php_admin_*. 

In #43598 sniper wrote: php_admin_* is supposed to make any such option unusable by anybody in any script. And it's meant for hosting companies.

I agree, that in a hosting environment no customer should be able to overwrite configuration like open_basedir. But there is no harm in allowing the customer to change include_path; on the contrary is it of great use for the customer to add his own libraries.

Before the #41561 patch was applied, this was already possible for years and that was no bug, because overwriting open_basedir was not possible at all.

I suggest to define another "Changeable" scope (see http://php.net/manual/en/ini.php) for configuration values like "PHP_INI_OVERWRITEABLE" wich behaves like "PHP_INI_ALL" but in addition to that can be overwritten using ini_set() even when previously defined using php_admin_*. The inlude_path would be one of the new PHP_INI_OVERWRITEABLE directives, additional harmless ones must be defined.

Please make sure to properly document that change - the new behavior of the patch for #41561 is still not documented anywhere (or I did not find it..)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-01-11 21:59 UTC] derick@php.net

I think you can use set_include_path() for this: http://no.php.net/manual/en/function.set-include-path.php

[2009-03-20 13:13 UTC] derernst at gmx dot ch

Using set_include_path() instead of ini_set('include_path') does not seem to make a difference.

I consider this change, that disables setting the include_path at runtime, a severe backwards compatibility break. For example it can make an application that relies on a manual PEAR installation unuseable. This is a problem specially in shared hosting environments, where you usually can't control the server configuration.

[2010-06-10 13:09 UTC] jo at feuersee dot de

PHP 5.3.2
As derernst corretly stated, using set_include_path() instead of ini_set() 
does not make any difference.
This behavior doesn't add any security (as you can still include files 
anywhere as long as open_basedir allows it), but limits convenience (eg. 
adding a framework, writing custom autoloader functions, ...)

[2011-04-08 21:32 UTC] jani@php.net

-Package: Feature/Change Request +Package: PHP options/info functions

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Apr 01 19:01:31 2025 UTC