ID: 31618
Updated by: [EMAIL PROTECTED]
Reported By: kpederson at mail dot ewu dot edu
Status: Assigned
Bug Type: Filesystem function related
Operating System: redhat enterprise
PHP Version: 5CVS-2005-03-14
Assigned To: tony2001
New Comment:
This is the reason why safe_mode should have been nuked long time ago.
Previous Comments:
------------------------------------------------------------------------
[2005-08-12 20:04:46] kpederson at mail dot ewu dot edu
Hmm... I can understand that logic. The docs say:
"UID/GID checks are bypassed when including files from
this directory and its subdirectories"
which also seems to fit.
It's going to make it really hard for me (and I would
guess many others) as a developer to support a given use
case.
The use case that doesn't seem to be satisfied by this is
when the files in the safe_mode_include_dir (smarty for
example) needs to fopen() other files in that directory.
Smarty tries is_readable, which now succeeds, but there is
no way for smarty, when running under safe mode, to
actually read common templates... <sigh>. I don't know if
this use case can be satisfied without that
functionality.... I have hundreds of users, but no
apparent way, (other than includes which now work) to do
any type of complex templating. In most commercial
environments, this wouldn't seem like a problem, but in
the university setting, they all need access to a common
template.
Ok. I'm ranting and a bit frustrated -- although I do
admit that you're right per all the docs. Feel free to
delete this message and close the bug report. I
appreciate you leaving it open a bit longer. If you're
open for any discussion, you can e-mail me.
Thanks.
------------------------------------------------------------------------
[2005-08-12 19:17:12] [EMAIL PROTECTED]
Yes, I've made this intentionally.
The file in safe_mode_include_dir can be included, but cannot be opened
using fopen() and friends.
IMO that's why this directive is called safe_mode_*INCLUDE*_dir.
------------------------------------------------------------------------
[2005-08-12 19:11:00] kibab at icehouse dot net
Ok, I tried it out on my dev server and it works!
is_readable() now returns the correct values based on the
ownership of the file.
>From my initial test:
is_readable: /var/lib/php/test_templ2.php (true)
TEST
The fopen($myfilename) call, however, still fails with the
following error message (perhaps I should file this as a
separate bug report...):
Warning: fopen() [function.fopen]: SAFE MODE Restriction
in effect. The script whose uid/gid is 49/49 is not
allowed to access /var/lib/php/test_templ2.php owned by
uid/gid 0/0 in /var/www/sites/devel/test.php on line 10
Warning: fopen(/var/lib/php/test_templ2.php)
[function.fopen]: failed to open stream: Success
in /var/www/sites/devel/test.php on line 10
And... safe_mode_include_dir on that server is set
to /var/lib/php.
------------------------------------------------------------------------
[2005-08-12 18:03:49] [EMAIL PROTECTED]
Please try again. It should be there this time.
------------------------------------------------------------------------
[2005-08-12 17:33:29] kibab at icehouse dot net
I can't get to it, I just keep getting a 404 error?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/31618
--
Edit this bug report at http://bugs.php.net/?id=31618&edit=1
