ID: 41654
User updated by: dr at peytz dot dk
Reported By: dr at peytz dot dk
Status: Wont fix
Bug Type: Safe Mode/open_basedir
Operating System: Linux
PHP Version: 5.2.3
New Comment:
In this case, PHP doesn't need to validate the socket path. It just
shouldn't add the specific error code to the error string. I doubt many
people will miss the "(13)" part of the error string.
Previous Comments:
------------------------------------------------------------------------
[2007-06-12 12:43:14] [EMAIL PROTECTED]
It is quite impractical for PHP to validate things like unix domain
socket paths for all databases that support them to avoid
open_basedir/
safe_mode bypasses. Had the bypass allowed reading of files, I could
see
the need to implement additional checks, but simple "presence" checks
don't warrant hacks necessary to add such protection.
------------------------------------------------------------------------
[2007-06-11 17:12:20] dr at peytz dot dk
Description:
------------
file_exists() etc. does not allow checking the existence of files
outside the directories specified in open_basedir.
This can be circumvented using mysql_connect(). The existence of a file
can be checked using the example code below.
Reproduce code:
---------------
$filename = '/etc/passwd';
mysql_connect(':' . $filename);
$error = error_get_last();
if (strpos($error['message'], '(13)')) {
print 'file exists';
} else {
print 'file does not exist';
}
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=41654&edit=1
