Edit report at https://bugs.php.net/bug.php?id=26026&edit=1
ID: 26026
Comment by: php at cabillot dot eu
Reported by: roman at compic dot ee
Summary: Add exec_dir directive (same as safe_mode_exec_dir
but without safe-mode)
Status: Open
Type: Feature/Change Request
Package: Program Execution
Operating System: *
PHP Version: *
Block user comment: N
Private report: N
New Comment:
To the php team : what do you think about this feature ?
Now that safe_mode is disabled, how hosting companies can protect consumers
from
themselves ?
Previous Comments:
------------------------------------------------------------------------
[2005-09-23 13:49:42] derbubi at gmx dot net
A Patch for this problem is available here:
http://kyberdigi.cz/projects/execdir/english.html
This Option would be very nice, even if it decreases performance (if this
decrease is optional)
------------------------------------------------------------------------
[2003-10-29 05:23:31] roman at compic dot ee
Description:
------------
By bow we have safe_mode_exec_dir
working (and good) for shared hosting, only if SAFE_MODE enabled.
But often, SAFE_MODE need to be turned off. After this
safe_mode_exec_dir is nothing. So we need to disable some funtions
(system,passthru,...). But it can be done only for _ALL_ hosts. So if one host
use "system()" in "safe_mode 1" to one or two special programs and happy - i
can't turn SAFE_MODE 0 for other hosts. It's became realy danger - sometimes
users have unsecure scripts and by using 'blah.php?f=http://somethere...'
intruder can get nobody shell. Nobody shell mean - He can read mysql password
in config.php or settings.php files. He also can install blindshell.
So maybe good to add 'exec_dir' variable for working in 'safe_mode 0' ?
Reproduce code:
---------------
none needed
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=26026&edit=1
