View Issue Details

IDProjectCategoryView StatusLast Update
0015273phplist applicationInstallationpublic29-04-11 18:29
Status resolvedResolutionfixed 
Product Version2.10.9 
Target VersionFixed in Version2.10.14 
Summary0015273: Check for safe_mode wrong
DescriptionAt 8 occurrences in the code, phplist checks for the PHP Safe Mode like this: "if (ini_get("safe_mode"))". But ini_get("safe_mode") returns "off" which is resolved to true. Thus, phplist always thinks it would run in Safe Mode.

My environment:
PHP Version 5.2.9
System Linux server116 2.6.27-gentoo-r8 #3 SMP Mon Mar 23 02:30:09 CET 2009 i686
Apache Version Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9
Additional InformationAs a quick fix, I changed all ini_get("safe_mode") to "false" as I lost patience and wanted to keep the change as simple as possible. Generally, this should be changed to "if (ini_get("safe_mode") != "off")" or similar.

I hope that this has not been reported before. I tried my best with the search engine but didn't find anything which is strange as all users of this release should suffer from this bug.
TagsNo tags attached.


child of 0015554 resolvedmichiel System incompatibility: deprecated PHP functions lead to trouble when running PHP 5.3+ 



04-05-09 14:33

manager   ~0050630

strange, I have safe mode off and it never happens to me. Seems like a system specific issue.

however, I guess the suggestion is fine and we can update it.


04-05-09 16:14

reporter   ~0050636

Well, if it's system specific (has to be, otherwise every user would complain) the check needs to be a bit more complex than my suggestion, but I assume you know that.
Maybe it doesn't depend on the PHP version etc. but simply on what is typed in the php.ini.


02-03-10 16:03

reporter   ~0050842

"Maybe it doesn't depend on the PHP version etc. but simply on what is typed in the php.ini. "

..... Yup that seems to be true !.

The real check we need in phplist is,

if (((bool)ini_get("safe_mode") === true ) && WARN_ABOUT_PHP_SETTINGS)

rather than just the current phplist code of just if (ini_get("safe_mode") && WARN_ABOUT_PHP_SETTINGS)

Why ? One of those things in how php interprets anything from 0,1,on,ON,off,Off and so on for the safe_mode setting in the php.ini file.

We don't always know what people use so we need to cast it to a boolean first because booleans in the .ini files can return the string. This is how php does it anyway ( or rather this seems to be what the phpinfo() shows it does).

If someone does accidentally use On as the php online guide suggests e.g. it says here that "Whether to enable PHP's safe mode. If PHP is compiled with --enable-safe-mode then defaults to On, otherwise Off. "

So though it is a boolean it happily accepts any of safe_mode="Off" or "off" or "on" or "On" and ini_get() returns "off" if you use that.

We don't know what hosting companies set and they may set in a way that php still works fine but that (ini_get("safe_mode")) test fails to work as expected. Thus we should cast it first and then test for true.


02-03-10 19:49

reporter   ~0050843

Actually that won't work right as (bool) doesn't cast strings. I'll find a more inclusive solution. Looking at the source for PHP itself the (Zend) parser for the .ini file is a heck of a lot more comprehensive than just true false.


02-03-10 20:33

manager   ~0050844

maybe the whole safe_mode stuff should be removed. It'll be removed in php 6 anyway


03-03-10 09:02

reporter   ~0050845

OK I looked at the PHP source code and AFAIKS we need to look for on, yes and true as well as numerical 1 and guess what if they are set as stings then the get returned as strings even though they get parsed correctly. Why didn't the PHP people provide a ini_get_boolean() kind of function that emulated the parser ?

Anyway here is something that will work.....

  if (((strtolower(@ini_get('safe_mode')) == 'on') ||
  (strtolower(@ini_get('safe_mode')) == 'yes') ||
  (strtolower(@ini_get('safe_mode')) == 'true') ||
  (ini_get("safe_mode") == 1 )) && WARN_ABOUT_PHP_SETTINGS)

...but yes safe_mode is deprecated from php 5.3.0 and removed in 6.0. My hoster is fairly up to date and runs 5.2.8 so it'll be a while yet before we see all sites on 6.0 so we still have to test for safe_mode if it is important.


17-03-11 21:30

reporter   ~0051172

Confirmed on latest CentOS. Just upgraded phpList hoping this would be fixed.


29-04-11 18:29

manager   ~0051221