php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #7217 Security Problem with "include_dir" configuration
Submitted: 2000-10-15 03:49 UTC Modified: 2001-08-27 11:44 UTC
From: afader at asqnet dot org Assigned:
Status: Duplicate Package: Feature/Change Request
PHP Version: 4.0.2 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: afader at asqnet dot org
New email:
PHP Version: OS:

 

 [2000-10-15 03:49 UTC] afader at asqnet dot org
Okay - set up a common script directory. /home/httpd/phpi
in php.ini - set include_dir = .:/home/httpd/phpi
set safe_mode on.
Put a file into the directory.  Call it "counter.inc"
make the owner of counter.inc any user and any group.
make a web page with a different user in the same group.

the web page cannot include("counter.inc"); you get a warning: SAFE MODE that uid 1 <> uid 2.

This makes it impossible to have shared php includes across multiple users.

- REQUEST -
Allow some way for SAFE MODE to ignore user matching on a selected directory (or set of directories.)  Or ignore matching for a specific userid/or/groupid on the target files???

Or, let me know what I'm doing wrong???

- Thanks -
Alexander

p.s. PHP rules ;-)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-08-27 11:44 UTC] sander@php.net
Duplicate of 8963.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC