PHP can include with no restrictions?

Problems with the Windows version of XAMPP, questions, comments, and anything related.

PHP can include with no restrictions?

Postby Radzio » 07. June 2010 17:54

I have set my Apache to deny any access to root directory but PHP script are still allowed to include/require files from any dir.
Should something be changed in PHP settings?
Radzio
 
Posts: 81
Joined: 05. June 2010 12:26

Re: PHP can include with no restrictions?

Postby Nobbie » 07. June 2010 20:40

Radzio wrote:I have set my Apache to deny any access to root directory but PHP script are still allowed to include/require files from any dir.


Yes of course, a HTTP request and a simple file-open are very very different things.

Radzio wrote:Should something be changed in PHP settings?


Read about "safe_mode" and "open_basedir" restriction if it is satisfactory to your needs.
Nobbie
 
Posts: 13165
Joined: 09. March 2008 13:04

Re: PHP can include with no restrictions?

Postby JonB » 08. June 2010 06:00

Thanks Nobbie for making a good point...

Its worth remembering 'where' the PHP is running and 'whom' it thinks 'it' is on a Windows system running Apache. Apache is calling DLL's to do the work. Thus httpd.exe is/controls the user context for PHP. :shock: This is one of the reasons cross-domain scripting is such a big deal.

The good news is 'normally' YOU get to control what PHP code resides on your server.

Holy Moly Batcoder!
8)
User avatar
JonB
AF Moderator
 
Posts: 3210
Joined: 12. April 2010 16:41
Location: Land of the Blazing Sun
Operating System: Windows XP/7 - Fedora 15 1.7.7

Re: PHP can include with no restrictions?

Postby Radzio » 08. June 2010 08:24

Nobbie wrote:Read about "safe_mode" and "open_basedir" restriction if it is satisfactory to your needs.

Thanks, that really helped. "open_basedir" is what I needed.

I'm learning to understand this better. Till now I thought that restricting access in httpd.conf would affect anything that runs with Apache.

Nobbie wrote:Yes of course, a HTTP request and a simple file-open are very very different things.

So one last question: do all directory access restrictions I made in httpd.conf apply only to HTTP requests?
Radzio
 
Posts: 81
Joined: 05. June 2010 12:26

Re: PHP can include with no restrictions?

Postby Nobbie » 08. June 2010 09:19

Radzio wrote:So one last question: do all directory access restrictions I made in httpd.conf apply only to HTTP requests?


Yes.
Nobbie
 
Posts: 13165
Joined: 09. March 2008 13:04


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 127 guests