 |
 |
Find a programming school near you
php-developer-list | 2000101
Date: 10/13/00
- Next message: Jason Greene: "[PHP-DEV] Webhosting Enhancements to php"
- Previous message: Bug Database: "[PHP-DEV] PHP 4.0 Bug #7185 Updated: $count++ bug (does not increase value in some cases)"
- Next in thread: Bug Database: "[PHP-DEV] PHP 4.0 Bug #7187 Updated: open_basedir is broken! Security alert!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
ID: 7187
User Update by: dron <email protected>
Status: Open
Bug Type: PHP options/info functions
Description: open_basedir is broken! Security alert!
http://www.php.net/manual/configuration.php
---- open_basedir string Limit the files that can be opened by PHP to the specified directory-tree.When a script tries to open a file with, for example, fopen or gzopen, the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink.
The special value . indicates that the directory in which the script is stored will be used as base-directory ---
I don't need full path - i want to restrict users from accessing files in upperlevel directories.
as Mr. Zeev Suraski said: It's not related to open_basedir, there's a problem in the php_value system in 4.0.3.
Previous Comments: ---------------------------------------------------------------------------
[2000-10-13 12:20:35] andi <email protected> You should be using full path with the open_basedir directive as far as I know. Can you please try and let us know of the results?
---------------------------------------------------------------------------
[2000-10-13 12:01:50] dron <email protected> open_basedir is broken in 4.03 release!!! It is not working like in 4.02.. I used php_value open_basedir '.' in 4.02 to restrict some virtual servers in apache to access external files, but after upgrading to version 4.03 it is allow to access any file in filesystem. Running apache 1.3.12 and php as a dynamic module. Any hotfix?
it MAY be connected with a Bug id #7175. Please fix as soon as possible!
---------------------------------------------------------------------------
[2000-10-13 11:52:51] dron <email protected> open_basedir is broken in 4.03 release!!! It is not working like in 4.02.. I used php_value open_basedir '.' in 4.02 to restrict some virtual servers in apache to access external files, but after upgrading to version 4.03 it is allow to access any file in filesystem. Running apache 1.3.12 and php as a dynamic module. Any hotfix?
---------------------------------------------------------------------------
Full Bug description available at: http://bugs.php.net/?id=7187
-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Jason Greene: "[PHP-DEV] Webhosting Enhancements to php"
- Previous message: Bug Database: "[PHP-DEV] PHP 4.0 Bug #7185 Updated: $count++ bug (does not increase value in some cases)"
- Next in thread: Bug Database: "[PHP-DEV] PHP 4.0 Bug #7187 Updated: open_basedir is broken! Security alert!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
