NYCPHP Meetup

NYPHP.org

[nycphp-talk] apocryphal safe mode bug and SANS' alert CAN-2003-0863

Chris Shiflett shiflett at php.net
Sat Nov 15 16:09:06 EST 2003


--- Tim Gales <tgales at tgaconnect.com> wrote:
> "CAN-2003-0863" "The php_check_safe_mode_include_dir function in
> fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the
> safe_mode_include_dir variable is not specified in configuration

[snip]

> Anyway its no wonder people think PHP has security problems.

I might be misunderstanding, but someone thinks it is a bug in PHP if,
when you don't enable safe_mode, that safe_mode is not enabled for you?

I read your entire email, and I saw nothing that could be classified as a
bug or a security vulnerability. If I omit safe_mode from my php.ini, why
should PHP assume I meant to enable it?

Please correct me if I misinterpreted anything.

Chris

=====
Chris Shiflett - http://shiflett.org/

PHP Security Handbook
     Coming mid-2004
HTTP Developer's Handbook
     http://httphandbook.org/
RAMP Training Courses
     http://www.nyphp.org/ramp



More information about the talk mailing list