ID: 33723 User updated by: ezmlm at mail dot ru Reported By: ezmlm at mail dot ru -Status: Feedback +Status: Open Bug Type: Apache related Operating System: Linux PHP Version: 5CVS-2005-07-18 New Comment:
It doesn't make any difference. php_admin_value may be in VirtualHost block or in global scope. It is reset by php_value in .htaccess in both cases. That was just a simple example to reproduce the bug. safe_mode is also only example. You can reset any options marked as PHP_INI_SYSTEM (which shouldn't be settable with php_value at all) like safe_mode or open_basedir or any other, disabling any security limitations defined in VirtualHost Previous Comments: ------------------------------------------------------------------------ [2005-07-19 10:46:39] [EMAIL PROTECTED] Isn't the php_admin_value inside any <VirtualHost> block?? ------------------------------------------------------------------------ [2005-07-19 08:41:21] ezmlm at mail dot ru This problem does not exist in php5 module for Apache2. It only exists in php5 module for Apache1 cause those are completly different modules. Using php_admin_value safe_mode 1 didn't change anything. again the steps to reproduce the problem. Apache 1.3.33 is configured with ./configure --enable-module=so and installed with make && make install php is configured with ./configure --with-apxs=/usr/local/apache/bin/apxs then installed with make && make install In httpd.conf added: AddType application/x-httpd-php .php .phtml php_admin_value safe_mode on In <Directory "/usr/local/apache/htdocs"> section set AllowOverride Options to allow php_flag and php_value in .htaccess In /usr/local/apache/htdocs created info.phtml: <?php system('cat /etc/passwd'); phpinfo(); ?> The result is that safe_mode is ON and content of /etc/passwd IS NOT displayed. Now create .htaccess in /usr/local/apache/htdocs: php_flag safe_mode off The result is that phpinfo() shows safe_mode is OFF and content of /etc/passwd IS displayed. ------------------------------------------------------------------------ [2005-07-19 00:45:21] [EMAIL PROTECTED] Try change that php_admin_value line in httpd.conf to this: php_admin_value safe_mode 1 ------------------------------------------------------------------------ [2005-07-19 00:43:19] [EMAIL PROTECTED] I can't reproduce this override problem when using Apache2. ------------------------------------------------------------------------ [2005-07-19 00:37:23] [EMAIL PROTECTED] Solved. I had wrong permissions and owners set on the path and script I used. safe-mode works as expected. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/33723 -- Edit this bug report at http://bugs.php.net/?id=33723&edit=1