 |
 |
 |
 |
|
|
Date: 08/30/00
- Next message: Andrei Zmievski: "Re: [PHP-DEV] ENFORCE_SAFE_MODE"
- Previous message: Andi Gutmans: "[PHP-DEV] Changing opened_path to being emalloc()'ed"
- Next in thread: Andrei Zmievski: "Re: [PHP-DEV] ENFORCE_SAFE_MODE"
- Reply: Andrei Zmievski: "Re: [PHP-DEV] ENFORCE_SAFE_MODE"
- Reply: Rasmus Lerdorf: "Re: [PHP-DEV] ENFORCE_SAFE_MODE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Some calls to php_fopen_wrappers() use the ENFORCE_SAFE_MODE #define and
some don't. Actually on a whole if you're using include_path you can often
circumvent the ENFORCE_SAFE_MODE option and still open a file which you're
not supposed to open.
I am getting rid of it and am only checking PG(safe_mode) in
fopen-wrappers.c. This should make the safe_mode much much safer from now
on (at least the code that uses the php_fopen_wrappers()). I have heard in
the past that some extension modules might want to open some system fonts
and stuff so you wouldn't want to enable safe mode for those modules but I
think it's a bad explanation. You could probably use those extensions to
open /etc/passwd and maybe even get some kind of info back by chance.
If anyone thinks I'll break something badly scream now!
Andi
--- Andi Gutmans <andi <email protected>> http://www.zend.com/-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Andrei Zmievski: "Re: [PHP-DEV] ENFORCE_SAFE_MODE"
- Previous message: Andi Gutmans: "[PHP-DEV] Changing opened_path to being emalloc()'ed"
- Next in thread: Andrei Zmievski: "Re: [PHP-DEV] ENFORCE_SAFE_MODE"
- Reply: Andrei Zmievski: "Re: [PHP-DEV] ENFORCE_SAFE_MODE"
- Reply: Rasmus Lerdorf: "Re: [PHP-DEV] ENFORCE_SAFE_MODE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]