|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #43822 Allow ini_set('include_path', ??) even when php_admin_value include_path is set
Submitted: 2008-01-11 20:55 UTC Modified: 2011-04-08 21:32 UTC
Avg. Score:4.3 ± 0.9
Reproduced:5 of 5 (100.0%)
Same Version:3 (60.0%)
Same OS:0 (0.0%)
From: birne at 007mail dot de Assigned:
Status: Open Package: PHP options/info functions
PHP Version: 5.2.5 OS: Ubuntu Linux 7.10
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
Solve the problem:
27 - 23 = ?
Subscribe to this entry?

 [2008-01-11 20:55 UTC] birne at 007mail dot de
After the patch for #41561 was applied, ini_set() could no longer overwrite any configuration value that was previously defined using php_admin_*. 

In #43598 sniper wrote: php_admin_* is supposed to make any such option unusable by anybody in any script. And it's meant for hosting companies.

I agree, that in a hosting environment no customer should be able to overwrite configuration like open_basedir. But there is no harm in allowing the customer to change include_path; on the contrary is it of great use for the customer to add his own libraries.

Before the #41561 patch was applied, this was already possible for years and that was no bug, because overwriting open_basedir was not possible at all.

I suggest to define another "Changeable" scope (see for configuration values like "PHP_INI_OVERWRITEABLE" wich behaves like "PHP_INI_ALL" but in addition to that can be overwritten using ini_set() even when previously defined using php_admin_*. The inlude_path would be one of the new PHP_INI_OVERWRITEABLE directives, additional harmless ones must be defined.

Please make sure to properly document that change - the new behavior of the patch for #41561 is still not documented anywhere (or I did not find it..)


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-01-11 21:59 UTC]
I think you can use set_include_path() for this:
 [2009-03-20 13:13 UTC] derernst at gmx dot ch
Using set_include_path() instead of ini_set('include_path') does not seem to make a difference.

I consider this change, that disables setting the include_path at runtime, a severe backwards compatibility break. For example it can make an application that relies on a manual PEAR installation unuseable. This is a problem specially in shared hosting environments, where you usually can't control the server configuration.
 [2010-06-10 13:09 UTC] jo at feuersee dot de
PHP 5.3.2
As derernst corretly stated, using set_include_path() instead of ini_set() 
does not make any difference.
This behavior doesn't add any security (as you can still include files 
anywhere as long as open_basedir allows it), but limits convenience (eg. 
adding a framework, writing custom autoloader functions, ...)
 [2011-04-08 21:32 UTC]
-Package: Feature/Change Request +Package: PHP options/info functions
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 07:01:31 2024 UTC