[prev in list] [next in list] [prev in thread] [next in thread] 

List:       php-general
Subject:    [PHP] Re: include_path and safe_mode in virtualhost
From:       62.131.2.67
Date:       2004-09-30 10:32:34
Message-ID: 20040930103233.62011.qmail () pb1 ! pair ! com
[Download RAW message or body]

Christian Ista wrote:

> Hello,
> 
> I have a didecated server (linux redhat + apache 1.31.x and PHP 4.3.x).
> 
> I'd like for a specific virualhost, set the include_path and safe_mode
> 
> To do that, I did :
> <Virtualhost>
> .....
> php_admin_value safe_mode  on
> php_admin_value include_path ".:/design:/home:/manager:/login:/style"
> </Virtualhost>
> 
> Then I make 2 tests with a test.php page placed on this server.
> 
> 1. I try in a test page, include an HTML file. This file is on another server. I \
> have in the test page <?php include("www.other-server.com/myfile.html ?>. In the \
> myfile.html there is only the text "MY TEST". 
> When I call test.php, I see "MY TEST".
> 
> It's not normal I thing because I include a file from outside the include_path.
> 
> Do you have an idea what's happen ?
> 
> 2. I do an another include but this time from a local file (/etc/my.cnf, it's the \
> configuration file for MySQL, the owner is root) 
> With php_admin_value values in the virtual host, impossible to include even if I \
> specify the path of this file in the include_path. Is it normal ? 
> For me the most important point is the first, why is it still possible ton include \
> a remote file? 
> Regards,
> 
> Christian,
because you've got allow_url_fopen = On. safe_mode doesn't stop that. 
You need to turn the allow_url_fopen Off to limit that ability...

- Tul

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[prev in list] [next in list] [prev in thread] [next in thread]