Maybe creating an php.ini option like "disable_ini" where the admin can list
the ini options that can be or cannot be set by users. Of course certain
options like "child_terminate" should be disabled by default.
Btw the "child_terminate" which allows the user to kill the current apache
child is
Right, but it would seem like we need a bit of a general purpose check on
ini_set() from userspace. There are probably other directives that we may
not want to allow or at least want to check from safe_mode. But yes,
that's the code I was looking at. I think we should apply the safe-mode
restri
We can check it at the ini handler level.
We can either forbid modifying error_log from userspace (denying
PHP_INI_USER), deny it only in safe mode, or even apply the safe mode
restriction at that level.
At 00:25 13/05/2002, Rasmus Lerdorf wrote:
>Not quite sure how to fix this one. It's not
Not quite sure how to fix this one. It's not like we can simply check
before we open the error_log file in general, because that might be set
by the server admin, it is only if the user tries to redefine where this
error logfile should be that we want to apply the safe-mode restriction.
Even if w
