ID: 21975 Comment by: tim at timj dot co dot uk Reported By: philip at cornado dot com Status: Open Bug Type: Documentation problem Operating System: all PHP Version: 4.3.0 New Comment:
As noted in bug 13843, all program execution functions pass the complete command that is about to be executed to the internal equivalent of escapeshellcmd() before executing, when in safe mode. This is a very important gotcha which doesn't appear to be documented anywhere; it should be documented on the manual page for each program execution function, and also in "Features -> Safe Mode -> Functions restricted/disabled by safe mode". Previous Comments: ------------------------------------------------------------------------ [2003-05-14 07:31:51] nickyboy at 4ce dot co dot uk Following an upgrade from 4.0.6 is seems that open_basedir and move_uploaded_file no longer resolve symlinks. Previously the scripts worked with no problem, but we've just had to update httpd.conf so the php_admin_value open_basedir is now the real path rather than a symlink... The documentation for open_basedir states: http://www.php.net/manual/sl/features.safe-mode.php "All symbolic links are resolved" There is a user comment on move_file_upload but there is no formal documentation for this! I'm guessing it's a bug rather than new behaviour, or the documentation needs a look... This is however a different issue from bug 21885 and that maybe worth a look first if you are getting errors mentioning the /tmp directory! ------------------------------------------------------------------------ [2003-04-17 20:01:44] moron at industrial dot org It appears that move_uploaded_file() is either broken with 4.3.1 or its behaviour radically changed under safe_mode. All of a sudden file uploads are now failing with "open_basedir" restriction errors (kind of defeating the purpose of move_uploaded_file IMHO). Some clarification on this issue would be definitely appreciated. Cheers ------------------------------------------------------------------------ [2003-01-30 21:41:45] philip at cornado dot com This bug report is where we list quirks, concerns, BC breaks, uses, and general gotchas that stem from either safe mode or open_basedir. Information that everyone from sysadmin's to newbie users should know. For example, a potential safe_mode gotcha: - As of PHP 4.3.0, the PHP_AUTH_* variables are NOT available in PHP when both an external auth mechanism exists and PHP is in safe mode. Note: REMOTE_USER is available regardless. There are others that belong in this bug report and eventually in the docs. Regarding open_basedir, there is a recent (4.3.0) PHP change regarding both upload_dir and include_path but I'm not sure what they are exactly ... hopefully this bug report will know soon ;) And there are others. open_basedir and safe mode are documented here: - phpdoc/{lang}/features/safe-mode.xml ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=21975&edit=1
