RE: safe_mode_include_dir

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> -----Original Message-----
> From: Tony Beyers [mailto:nigelmas@xxxxxxxxx]
> Sent: Thursday, December 13, 2007 4:56 PM
> To: PHP General list
> Subject: Re:  safe_mode_include_dir
> 
> No luck with these solutions. What does work is:
> 
>  require_once(dirname(__FILE__) . '/../php/support.php');
> 
> but I still don't understand why the relative link doesn't work.
> 
> 
> On Dec 12, 2007 6:38 PM, Andrés Robinet <agrobinet@xxxxxxxxxxxxx>
> wrote:
> >
> > > -----Original Message-----
> > > From: Tony Beyers [mailto:nigelmas@xxxxxxxxx]
> > > Sent: Wednesday, December 12, 2007 5:55 PM
> > > To: PHP General list
> > > Subject: Re:  safe_mode_include_dir
> > >
> > > Sorry about the double posting. I thought I sent the first email
> > > before I was subscribed.
> > >
> > > I definitely should've pointed out that the code works with
> safe_mode
> > > off so I know the paths are correct.
> > >
> > > I'm actually not the author of the code. I'm a sys admin trying to
> > > upgrade the site with safe_mode on.
> > >
> > > The target directory is a real world readable directory.
> > >
> > > On Dec 12, 2007 3:43 PM, Daniel Brown <parasane@xxxxxxxxx> wrote:
> > > >    Tony,
> > > >
> > > >    Calm down.  It may take us 21 minutes to respond sometimes,
> but we
> > > > will.  No need to repost.  ;-P
> > > >
> > > > On Dec 12, 2007 3:26 PM, Tony Beyers <nigelmas@xxxxxxxxx> wrote:
> > > > > I'm running php 5.2.5 with these settings in a virtualhost
> block in
> > > > > apache 2.0.61:
> > > > >         php_admin_flag safe_mode on
> > > > >         php_admin_value include_path "/afs/msu.edu/.../web"
> > > > >         php_admin_value safe_mode_include_dir
> > > "/afs/msu.edu/.../web"
> > > > > I've got an index.php file in web/support/ that does a
> > > > > require_once("../includes/support.php");
> > > >
> > > >    Is there a specific reason you're using require_once() instead
> of
> > > > include_once() ?  There actually is a difference.... include()
> and
> > > > include_once() will only include the file if that line of code is
> > > > executed, whereas require() and require_once() will include the
> file
> > > > even if the line is inside of an if() {} block for which the
> > > > condition(s) are never matched.
> > > >
> > > > > Being in afs with write access from multiple people, the uids
> of
> > > the
> > > > > files do not match and I get an error stating that. So I put
> the
> > > > > safe_mode_include_dir line above in but it did not fix the
> problem
> > > > > until I used the absolute path in the require_once line.
> > > > > Is there a way to include files with relative paths?
> > > >
> > > >    Of course there is.  For example, say you're in a laterally-
> equal
> > > > directory as one from which you want to include a file.
> > > >
> > > >    <? include('../otherdir/file.php'); ?>
> > > >
> > > >    As long as you have permissions to read the files, you're good
> to
> > > > go.  My guess is that you may have done the relative linking
> > > > improperly.  Is the file actually `web/includes/support.php`
> called
> > > > from `web/index.php`?
> > > >
> > > >    The other thing I would suggest is making sure your target
> include
> > > > directory is a real directory and not a symlinked directory.
> > > >
> > > > --
> > > > Daniel P. Brown
> > > > [Phone Numbers Go Here!]
> > > > [They're Hidden From View!]
> > > >
> > > > If at first you don't succeed, stick to what you know best so
> that
> > > you
> > > > can make enough money to pay someone else to do it for you.
> > > >
> > >
> > > --
> > > PHP General Mailing List (http://www.php.net/)
> > > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> > Hi Tony,
> >
> > Please keep in mind that the use of
> >
> >        php_admin_value include_path "/afs/msu.edu/.../web"
> >
> > ...will prevent a user from changing the include_path because of the
> "admin"
> > part (this is ok for the safe mode include dir, but not for the
> include_path
> > setting I think). So, I'd say you keep the safe_mode_include_dir, and
> change
> > the include path to:
> >
> >        php_value include_path "/afs/msu.edu/.../web"
> >
> > Also, it is likely that while using relative paths you run into
> problems
> > because the "current directory" can be anything except the expected
> one, so
> > I'd rather use absolute paths (if it's my own code) or fix it using
> > .htaccess files (this is your case as you are a sysadmin) like this:
> >
> >        php_value include_path "/one/path;/another/path;./"
> >
> > ... but for that to work you must not use php_admin_value in the
> virtualhost
> > config (notice that this is not related to safe mode security, if
> safe_mode
> > is well configured, it doesn't mind what you are using as
> include_dir).
> >
> > If anyone has more ideas... please throw them (and fix my errors).
> >
> > Rob
> >
> >
> > Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
> > 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale,
> FL 33308
> > | TEL 954-607-4207 | FAX 954-337-2695
> > Email: info@xxxxxxxxxxxxx  | MSN Chat: best@xxxxxxxxxxxxx  |  SKYPE:
> > bestplace |  Web: http://www.bestplace.biz | Web: http://www.seo-
> diy.com
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
> 
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

Hi Tony,

dirname(__FILE__) will always give you the script's directory, while
dirname(dirname(__FILE__)) would be equivalent to dirname(__FILE__).'/..'
which is what you are doing now.

Using relative paths is not a good idea, but if you have other people's code
to deal with, you'd better off creating an .htaccess file or editing the
virtualhost configuration than checking file by file for relative paths and
converting them to absolute paths (even with linux tools like sed or awk...
there's no warranty you'll do it right).

AFAIK, when you use relative paths, there are three things to take into
account:

1 - The script that's handling the request (the one that gets called first
and loads every other script). I think this can be queried through
$_SERVER['PHP_SELF'].
2 - The value for the PHP include path which you can obtain using
get_include_path().
3 - The current directory which you can obtain using getcwd(). Usually this
is the directory of the script that got called at first (but this is not
always the case).

However...this is a quote from my offline version of the extended PHP
manual... 

"Files for including are first looked for in each include_path entry
relative to the current working directory, and then in the directory of
current script. E.g. if your include_path is libraries, current working
directory is /www/, you included include/a.php and there is include "b.php"
in that file, b.php is first looked in /www/libraries/ and then in
/www/include/. If filename begins with ./ or ../, it is looked only in the
current working directory."

So... provided that you are using "./script.php" and/or "../script.php"
what's the value for the current directory before you throw the
"require_once"? can you do an "echo getcwd()" in the line above the
"require_once" for testing purposes? Is that what you expect?

Also, keep in mind that for the safe_mode_include_dir directive to work
properly for relative paths, you must also add the shared path to the
include_path directive. Another quote of my offline PHP manual...

"safe_mode_include_dir string 
UID/GID checks are bypassed when including files from this directory and its
subdirectories (directory must also be in include_path or full path must
including). 

As of PHP 4.2.0, this directive can take a colon (semi-colon on Windows)
separated path in a fashion similar to the include_path directive, rather
than just a single directory. 

The restriction specified is actually a prefix, not a directory name. This
means that "safe_mode_include_dir = /dir/incl" also allows access to
"/dir/include" and "/dir/incls" if they exist. When you want to restrict
access to only the specified directory, end with a slash. For example:
"safe_mode_include_dir = /dir/incl/" 

If the value of this directive is empty, no files with different UID/GID can
be included in PHP 4.2.3 and as of PHP 4.3.3. In earlier versions, all files
could be included."

Anyway... for the sake of simplicity you can live with adding
dirname(__FILE__) everywhere for now.... but you'll see how bad it will be
if you have to modify one thousand scripts in this way, with variations such
as require/include, once/not-once, parenthesized/not-parenthesized. And you
will risk breaking legitimate scripts.

So... for the future, think about it.

Rob


Andrés Robinet | Lead Developer | BESTPLACE CORPORATION
5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308
| TEL 954-607-4207 | FAX 954-337-2695
Email: info@xxxxxxxxxxxxx  | MSN Chat: best@xxxxxxxxxxxxx  |  SKYPE:
bestplace |  Web: http://www.bestplace.biz | Web: http://www.seo-diy.com

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux