Re: [PHP-DEV] patch - adds new setting safe_mode_hide_env_vars From: Andi Gutmans (andi <email protected>)
Date: 10/21/00

What if someone does exec("printenv") ? He can still get all of the
environment variables.

Andi

At 04:35 PM 10/20/00 -0700, Jason Greene wrote:
>If you guys could take a look at this patch, and see what you think. This
>allows for an ini setting that will block specified
>environmental variables from being seen by php scripts. It does make one
>update that probably should be moved, and that is in
>php_module_startup. Since this uses a hashtable datatype, zend_hash_init
>needs to be called. You guys probably don't want this in
>the main startup, but I figured that you could let me know where it could
>go best. Maybe a startup call in safe_mode.c?
>
>I know we had discussions about doing an env -i before running apache, and
>I do agree on cleaning the apache users environment, but
>there is always the possibility of env vars you can't remove.
>(LD_LIBRARY_PATH) .
>
>If you like the idea, but want things in different places let me know
>
>-Jason
>
>
>
>
>
>
>
>
>
>
>
>
>
>--
>PHP Development Mailing List <http://www.php.net/>
>To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
>For additional commands, e-mail: php-dev-help <email protected>
>To contact the list administrators, e-mail: php-list-admin <email protected> 

---
Andi Gutmans <andi <email protected>>
http://www.zend.com/

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>