Hi again,
I believe it should disallow openning a directory in safe mode if the UID
of the directory does not match the UID of the PHP script.
That is exactly the behavior of fopen() in safe mode.
Without that behavior, users are permitted to write a PHP script that lets
them crawl around the
[EMAIL PROTECTED] wrote:
Hi again,
I believe it should disallow openning a directory in safe mode if the UID
of the directory does not match the UID of the PHP script.
That is exactly the behavior of fopen() in safe mode.
Without that behavior, users are permitted to write a PHP script
Yasuo Ohgaki wrote:
[EMAIL PROTECTED] wrote:
It happens on our system that there will never be any files owned by
user A under a directory owned by user B. But even if there were, I think
safe mode should disallow this type of filesystem reading.
Under UNIX like systems, /tmp is world
[EMAIL PROTECTED] wrote:
When in safe mode shouldn't PHP check to see if the directory that is
about to be opened with a opendir() function has the same UID as the PHP
script itself, and fail if the UIDs do not match?
From 4.1.0, optional GID check is available.
Because in PHP 4.0.6
But where user fred can opendir() a directory owned by user mary
(underneath the open_basedir), that action doesn't even pass a UID check
if the UIDs are supposed to match in safe mode in order for the action to
be allowed.
How would an optional GID check help?
A.
When in safe mode
[EMAIL PROTECTED] wrote:
But where user fred can opendir() a directory owned by user mary
(underneath the open_basedir), that action doesn't even pass a UID check
if the UIDs are supposed to match in safe mode in order for the action to
be allowed.
How would an optional GID check help?
6 matches
Mail list logo