#26026 [NEW]: Advanced parametr, exec_dir for non SAFE_MODE

Wed, 29 Oct 2003 03:28:57 -0800 

From:             roman at compic dot ee
Operating system: *nix
PHP version:      4.3.3
PHP Bug Type:     Feature/Change Request
Bug description:  Advanced parametr, exec_dir for non SAFE_MODE

Description:
------------
By bow we have safe_mode_exec_dir
working (and good) for shared hosting, only if SAFE_MODE enabled.

But often, SAFE_MODE need to be turned off. After this
safe_mode_exec_dir is nothing. So we need to disable some funtions
(system,passthru,...). But it can be done only for _ALL_ hosts. So if one
host use "system()" in "safe_mode 1" to one or two special programs and
happy - i can't turn SAFE_MODE 0 for other hosts. It's became realy danger
- sometimes users have unsecure scripts and by using
'blah.php?f=http://somethere...' intruder can get nobody shell. Nobody
shell mean - He can read mysql password in config.php or settings.php
files. He also can install blindshell.

So maybe good to add 'exec_dir' variable for working in 'safe_mode 0' ?


Reproduce code:
---------------
none needed


-- 
Edit bug report at http://bugs.php.net/?id=26026&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=26026&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=26026&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=26026&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=26026&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=26026&r=needtrace
Try newer version:          http://bugs.php.net/fix.php?id=26026&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=26026&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=26026&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=26026&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=26026&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=26026&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=26026&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=26026&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=26026&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=26026&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=26026&r=float

Reply via email to