Partners & Affiliates

Re: [PHP-DEV] patch - adds new setting safe_mode_hide_env_vars From: Jason Greene (jason <email protected>)
Date: 10/21/00

I did think of that, safe_mode blocks all capibility to execute commands
( backtics, passthru, exec, system, etc )

-Jason

Andi Gutmans wrote:
>
> What if someone does exec("printenv") ? He can still get all of the
> environment variables.
>
> Andi
>
> At 04:35 PM 10/20/00 -0700, Jason Greene wrote:
> >If you guys could take a look at this patch, and see what you think. This
> >allows for an ini setting that will block specified
> >environmental variables from being seen by php scripts. It does make one
> >update that probably should be moved, and that is in
> >php_module_startup. Since this uses a hashtable datatype, zend_hash_init
> >needs to be called. You guys probably don't want this in
> >the main startup, but I figured that you could let me know where it could
> >go best. Maybe a startup call in safe_mode.c?
> >
> >I know we had discussions about doing an env -i before running apache, and
> >I do agree on cleaning the apache users environment, but
> >there is always the possibility of env vars you can't remove.
> >(LD_LIBRARY_PATH) .
> >
> >If you like the idea, but want things in different places let me know
> >
> >-Jason
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >--
> >PHP Development Mailing List <http://www.php.net/>
> >To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> >For additional commands, e-mail: php-dev-help <email protected>
> >To contact the list administrators, e-mail: php-list-admin <email protected>
>
> ---
> Andi Gutmans <andi <email protected>>
> http://www.zend.com/ 

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>