 |
 |
 |
 |
|
|
Date: 09/26/01
- Next message: Stig Sæther Bakken: "Re: [PHP-DEV] [RFC] Versioning rules for PHP/Zend/PEAR/Extensions"
- Previous message: Emanuel Dejanu: "RE: [PHP-DEV] RE: Re: How do I register a constructor in PHP (C code)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: ajo <email protected>
Operating system: windows 2000
PHP version: 4.0.6
PHP Bug Type: Filesystem function related
Bug description: Security not blocking "unlink" delete functions
Running PHP in Apache using the MODULE configuration.
Apache/1.3.14 (Win32) PHP/4.0.6 mod_ssl/2.7.2 OpenSSL/0.9.6 running.
With the following:
php_admin_flag safe_mode on
php_admin_value open_basedir c:/pr
php_admin_value doc_root c:/pr
php_admin_value user_dir c:/pr
IT SUCCESSFULLY blocks reads in directories other than c:/pr, but it DOES
NOT block unlinks (file deletion) outside. So... My users cannot read other
users files, however they can delete anything they want. Very strange. I DO
NOT care about it checking "UIDs" as I do not create different Users for
each USER... I want to be able to restrict access to a directory and call
it good.
<?php
echo "Peace!";
//unlink ("c:/test.txt");// UNLINK WORKS (This should fail)
$fp = fopen ("c:/test.txt", "r"); // FAILS SECURITY CHECK
echo "Dude10";
?>
-- Edit bug report at: http://bugs.php.net/?id=13447&edit=1-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Stig Sæther Bakken: "Re: [PHP-DEV] [RFC] Versioning rules for PHP/Zend/PEAR/Extensions"
- Previous message: Emanuel Dejanu: "RE: [PHP-DEV] RE: Re: How do I register a constructor in PHP (C code)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]