Join Up! 104886 members and counting!

Login To PHPBuilder User Name: Password: Register A New Site Account * NOTE: This is for logging into the main site only! To login to the forums, click here

Linux Today Enterprise Linux Today Apache Today JustLinux.com Linux Planet PHPBuilder All Linux Devices Hiermenus DatabaseJournal Technology Jobs Covalent Extends Apache 2.0 to Microsoft ASP.NET ShopWorX - Support for Windows PHP Security Advisory: Vulnerability in PHP versions 4.2.0 and 4.2.1 Network Risk Assessment Full-Featured, Java-Based Apache GUI Using Sockets in PHP DOM XML: An Alternative to Expat Secure programming with PHP Managing Zend Framework Layouts In Case You Missed It...The Week of May 30, 2005

php-developer-list | 2001122

From: ajo <email protected>
Date: 12/19/01

• Next message: rdzil <email protected>: "[PHP-DEV] Bug #14609: window not closed if this script ended"
• Previous message: benjamin yates: "Re: [PHP-DEV] Question: Should exit() print out the integer exit-status?"
• Next in thread: derick <email protected>: "[PHP-DEV] Bug #13447 Updated: Security not blocking "unlink" delete functions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ID: 13447
User updated by: ajo <email protected>
Reported By: ajo <email protected>
Old Status: Feedback
Status: Open
Bug Type: Filesystem function related
Operating System: windows 2000
PHP Version: 4.0.6
New Comment:

I tried both adding a trailing slash (c:/pr/), and 4.1.0

You are still able to delete a file at your choosing. It's also interesting that the following has NO EFFECT.

php_admin_value disable_functions unlink

I have been unable to disable the command also.

I really want to get PHP setup, but I can't give global access to everyone.

Previous Comments:
------------------------------------------------------------------------

[2001-12-19 08:43:14] sander <email protected>

Can you try adding a trailing slash (c:/pr/), and can you try 4.1.0???

------------------------------------------------------------------------

[2001-09-26 04:48:28] ajo <email protected>

Running PHP in Apache using the MODULE configuration.

Apache/1.3.14 (Win32) PHP/4.0.6 mod_ssl/2.7.2 OpenSSL/0.9.6 running.

With the following:

php_admin_flag safe_mode on
php_admin_value open_basedir c:/pr
php_admin_value doc_root c:/pr
php_admin_value user_dir c:/pr

IT SUCCESSFULLY blocks reads in directories other than c:/pr, but it DOES NOT block unlinks (file deletion) outside. So... My users cannot read other users files, however they can delete anything they want. Very strange. I DO NOT care about it checking "UIDs" as I do not create different Users for each USER... I want to be able to restrict access to a directory and call it good.

<?php

echo "Peace!";
//unlink ("c:/test.txt");// UNLINK WORKS (This should fail)
$fp = fopen ("c:/test.txt", "r"); // FAILS SECURITY CHECK
echo "Dude10";
?>

------------------------------------------------------------------------

Edit this bug report at http://bugs.php.net/?id=13447&edit=1

-- 
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: php-dev-unsubscribe <email protected>
For additional commands, e-mail: php-dev-help <email protected>
To contact the list administrators, e-mail: php-list-admin <email protected>

• Next message: rdzil <email protected>: "[PHP-DEV] Bug #14609: window not closed if this script ended"
• Previous message: benjamin yates: "Re: [PHP-DEV] Question: Should exit() print out the integer exit-status?"
• Next in thread: derick <email protected>: "[PHP-DEV] Bug #13447 Updated: Security not blocking "unlink" delete functions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Columns / Articles | Tips / Quickies | News | News Linking and RSS Feeds | Shared Code Library Mail Archives | Support / Discussion Forums | Get Started! Links | Contribute! | Docs