 |
 |
 |
 |
|
|
Date: 10/21/00
- Next message: venaas <email protected>: "[PHP-DEV] PHP 4.0 Bug #7194 Updated: array_intersect() changes element order"
- Previous message: Tjabo Kloppenburg: "[PHP-DEV] Re: PHP 4.0 Bug #6772 Updated: wrong documentaion for strrchr and strrpos"
- Next in thread: Jason Greene: "Re: [PHP-DEV] patch - adds new setting safe_mode_hide_env_vars"
- Reply: Jason Greene: "Re: [PHP-DEV] patch - adds new setting safe_mode_hide_env_vars"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Oh, OK. In that case, it does sound reasonable.
I still would like to move some of the other safe_mode stuff (like
checkuid()) to a more centralized place such as
php_fopen_and_set_opened_path() (I moved open_basedir there) but there are
some issues such as in the GD module where you do want to allow the
developer to open certain files even if they aren't under his uid.
This whole safe_mode issue is a very complex issue and I don't know easily
we can:
a) centralize it more
b) Make sure everything is safe_mode'ed and works the way it's supposed to.
Right now I tell people that I don't consider safe_mode as being completely
"safe".
Andi
At 11:57 AM 10/21/00 -0500, Jason Greene wrote:
>I did think of that, safe_mode blocks all capibility to execute commands
>( backtics, passthru, exec, system, etc )
>
>-Jason
>
>
>Andi Gutmans wrote:
> >
> > What if someone does exec("printenv") ? He can still get all of the
> > environment variables.
> >
> > Andi
> >
> > At 04:35 PM 10/20/00 -0700, Jason Greene wrote:
> > >If you guys could take a look at this patch, and see what you think. This
> > >allows for an ini setting that will block specified
> > >environmental variables from being seen by php scripts. It does make one
> > >update that probably should be moved, and that is in
> > >php_module_startup. Since this uses a hashtable datatype, zend_hash_init
> > >needs to be called. You guys probably don't want this in
> > >the main startup, but I figured that you could let me know where it could
> > >go best. Maybe a startup call in safe_mode.c?
> > >
> > >I know we had discussions about doing an env -i before running apache, and
> > >I do agree on cleaning the apache users environment, but
> > >there is always the possibility of env vars you can't remove.
> > >(LD_LIBRARY_PATH) .
> > >
> > >If you like the idea, but want things in different places let me know
> > >
> > >-Jason
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >--
> > >PHP Development Mailing List <http://www.php.net/>
> > >To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
> > >For additional commands, e-mail: php-dev-help <email protected>
> > >To contact the list administrators, e-mail: php-list-admin <email protected>
> >
> > ---
> > Andi Gutmans <andi <email protected>>
> > http://www.zend.com/
--- Andi Gutmans <andi <email protected>> http://www.zend.com/-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: venaas <email protected>: "[PHP-DEV] PHP 4.0 Bug #7194 Updated: array_intersect() changes element order"
- Previous message: Tjabo Kloppenburg: "[PHP-DEV] Re: PHP 4.0 Bug #6772 Updated: wrong documentaion for strrchr and strrpos"
- Next in thread: Jason Greene: "Re: [PHP-DEV] patch - adds new setting safe_mode_hide_env_vars"
- Reply: Jason Greene: "Re: [PHP-DEV] patch - adds new setting safe_mode_hide_env_vars"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]