ID: 20689 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Won\'t fix Bug Type: *Configuration Issues Operating System: w2k and linux both PHP Version: 4.2.3 New Comment:
So run a separate restricted instance of Apache/PHP for virtualhosts you want to restrict and a non-restricted one for the others. Previous Comments: ------------------------------------------------------------------------ [2002-11-27 20:55:48] [EMAIL PROTECTED] Even if the performance penalty is huge, it would still be really nice to have that for security reasons. what is you are doing web hosting on windows and want to stop people from running system commands. the user can run a system command in his own folder, of course, but then he can also run a batch file that actually access files above his own folder even if safe mode is on and base dir is set. the problem will be running of the batch file. legally the user only used a php system command in his own folder, but the batch file can now go ahead and delete files on the server anywhere. so i personally consider this to be a bug, and a very serious one from the point of view of web hosting for the public. ------------------------------------------------------------------------ [2002-11-27 20:22:47] [EMAIL PROTECTED] For technical reasons this cannot be done. Well, it could, but the performance penalty would be huge. ------------------------------------------------------------------------ [2002-11-27 20:09:10] [EMAIL PROTECTED] OK, here it goes, i will come to the point. php_admin_value disable_functions function_string does not work on a per domain basis. i know that is what the documentation says also. but i think it should be allowed to work on a per domain basis by allowing it to be used in the conf file in the virtual domains. The funny part is that even if you do put this in the virtual domain, for example php_admin_value disable_functions phpinfo, this means that phpinfo is not allowed to run on that domain. the phpinfo not only runs, but it shows the local setting that phpinfo is actually disabled. where as it is not. if this were allowed to be in the conf files, running php would be a lot more secure and there will be a lot less headache for the admin ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=20689&edit=1
