NOTE:: Before reporting an issue, make sure you are running the latest version, currently 3.3.1

View Issue Details Jump to Notes ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0015273phplist applicationInstallationpublic03-05-09 21:0329-04-11 18:29
PlatformOSOS Version
Product Version2.10.9 
Target VersionFixed in Version2.10.14 
Summary0015273: Check for safe_mode wrong
DescriptionAt 8 occurrences in the code, phplist checks for the PHP Safe Mode like this: "if (ini_get("safe_mode"))". But ini_get("safe_mode") returns "off" which is resolved to true. Thus, phplist always thinks it would run in Safe Mode.

My environment:
PHP Version 5.2.9
System Linux server116 2.6.27-gentoo-r8 #3 SMP Mon Mar 23 02:30:09 CET 2009 i686
Apache Version Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9
Additional InformationAs a quick fix, I changed all ini_get("safe_mode") to "false" as I lost patience and wanted to keep the change as simple as possible. Generally, this should be changed to "if (ini_get("safe_mode") != "off")" or similar.

I hope that this has not been reported before. I tried my best with the search engine but didn't find anything which is strange as all users of this release should suffer from this bug.
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]
child of 0015554resolvedmichiel System incompatibility: deprecated PHP functions lead to trouble when running PHP 5.3+ 

-  Notes
michiel (manager)
04-05-09 14:33

strange, I have safe mode off and it never happens to me. Seems like a system specific issue.

however, I guess the suggestion is fine and we can update it.
astro (reporter)
04-05-09 16:14

Well, if it's system specific (has to be, otherwise every user would complain) the check needs to be a bit more complex than my suggestion, but I assume you know that.
Maybe it doesn't depend on the PHP version etc. but simply on what is typed in the php.ini.
openmtl (reporter)
02-03-10 16:03

"Maybe it doesn't depend on the PHP version etc. but simply on what is typed in the php.ini. "

..... Yup that seems to be true !.

The real check we need in phplist is,

if (((bool)ini_get("safe_mode") === true ) && WARN_ABOUT_PHP_SETTINGS)

rather than just the current phplist code of just if (ini_get("safe_mode") && WARN_ABOUT_PHP_SETTINGS)

Why ? One of those things in how php interprets anything from 0,1,on,ON,off,Off and so on for the safe_mode setting in the php.ini file.

We don't always know what people use so we need to cast it to a boolean first because booleans in the .ini files can return the string. This is how php does it anyway ( or rather this seems to be what the phpinfo() shows it does).

If someone does accidentally use On as the php online guide suggests e.g. it says here [^] that "Whether to enable PHP's safe mode. If PHP is compiled with --enable-safe-mode then defaults to On, otherwise Off. "

So though it is a boolean it happily accepts any of safe_mode="Off" or "off" or "on" or "On" and ini_get() returns "off" if you use that.

We don't know what hosting companies set and they may set in a way that php still works fine but that (ini_get("safe_mode")) test fails to work as expected. Thus we should cast it first and then test for true.
openmtl (reporter)
02-03-10 19:49

Actually that won't work right as (bool) doesn't cast strings. I'll find a more inclusive solution. Looking at the source for PHP itself the (Zend) parser for the .ini file is a heck of a lot more comprehensive than just true false.
michiel (manager)
02-03-10 20:33

maybe the whole safe_mode stuff should be removed. It'll be removed in php 6 anyway
openmtl (reporter)
03-03-10 09:02

OK I looked at the PHP source code and AFAIKS we need to look for on, yes and true as well as numerical 1 and guess what if they are set as stings then the get returned as strings even though they get parsed correctly. Why didn't the PHP people provide a ini_get_boolean() kind of function that emulated the parser ?

Anyway here is something that will work.....

  if (((strtolower(@ini_get('safe_mode')) == 'on') ||
  (strtolower(@ini_get('safe_mode')) == 'yes') ||
  (strtolower(@ini_get('safe_mode')) == 'true') ||
  (ini_get("safe_mode") == 1 )) && WARN_ABOUT_PHP_SETTINGS)

...but yes safe_mode is deprecated from php 5.3.0 and removed in 6.0. My hoster is fairly up to date and runs 5.2.8 so it'll be a while yet before we see all sites on 6.0 so we still have to test for safe_mode if it is important.
scragz (reporter)
17-03-11 21:30

Confirmed on latest CentOS. Just upgraded phpList hoping this would be fixed.
michiel (manager)
29-04-11 18:29 [^]

Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker