php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #7217 Security Problem with "include_dir" configuration
Submitted: 2000-10-15 03:49 UTC Modified: 2001-08-27 11:44 UTC
From: afader at asqnet dot org Assigned:
Status: Duplicate Package: Feature/Change Request
PHP Version: 4.0.2 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
50 - 33 = ?
Subscribe to this entry?

 
 [2000-10-15 03:49 UTC] afader at asqnet dot org
Okay - set up a common script directory. /home/httpd/phpi
in php.ini - set include_dir = .:/home/httpd/phpi
set safe_mode on.
Put a file into the directory.  Call it "counter.inc"
make the owner of counter.inc any user and any group.
make a web page with a different user in the same group.

the web page cannot include("counter.inc"); you get a warning: SAFE MODE that uid 1 <> uid 2.

This makes it impossible to have shared php includes across multiple users.

- REQUEST -
Allow some way for SAFE MODE to ignore user matching on a selected directory (or set of directories.)  Or ignore matching for a specific userid/or/groupid on the target files???

Or, let me know what I'm doing wrong???

- Thanks -
Alexander

p.s. PHP rules ;-)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-08-27 11:44 UTC] sander@php.net
Duplicate of 8963.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 18:01:29 2024 UTC