[nycphp-talk] apocryphal safe mode bug and SANS' alert CAN-2003-0863
Chris Shiflett
shiflett at php.net
Sat Nov 15 16:09:06 EST 2003
--- Tim Gales <tgales at tgaconnect.com> wrote:
> "CAN-2003-0863" "The php_check_safe_mode_include_dir function in
> fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the
> safe_mode_include_dir variable is not specified in configuration
[snip]
> Anyway its no wonder people think PHP has security problems.
I might be misunderstanding, but someone thinks it is a bug in PHP if,
when you don't enable safe_mode, that safe_mode is not enabled for you?
I read your entire email, and I saw nothing that could be classified as a
bug or a security vulnerability. If I omit safe_mode from my php.ini, why
should PHP assume I meant to enable it?
Please correct me if I misinterpreted anything.
Chris
=====
Chris Shiflett - http://shiflett.org/
PHP Security Handbook
Coming mid-2004
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
More information about the talk
mailing list