View Issue Details
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0015273||phpList 3 application||Installation||public||03-05-09 20:03||29-04-11 17:29|
|Target Version||Fixed in Version||2.10.14|
|Summary||0015273: Check for safe_mode wrong|
|Description||At 8 occurrences in the code, phplist checks for the PHP Safe Mode like this: "if (ini_get("safe_mode"))". But ini_get("safe_mode") returns "off" which is resolved to true. Thus, phplist always thinks it would run in Safe Mode. |
PHP Version 5.2.9
System Linux server116 2.6.27-gentoo-r8 #3 SMP Mon Mar 23 02:30:09 CET 2009 i686
Apache Version Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8k PHP/5.2.9
|Additional Information||As a quick fix, I changed all ini_get("safe_mode") to "false" as I lost patience and wanted to keep the change as simple as possible. Generally, this should be changed to "if (ini_get("safe_mode") != "off")" or similar.|
I hope that this has not been reported before. I tried my best with the search engine but didn't find anything which is strange as all users of this release should suffer from this bug.
|Tags||No tags attached.|
strange, I have safe mode off and it never happens to me. Seems like a system specific issue.
however, I guess the suggestion is fine and we can update it.
Well, if it's system specific (has to be, otherwise every user would complain) the check needs to be a bit more complex than my suggestion, but I assume you know that.
Maybe it doesn't depend on the PHP version etc. but simply on what is typed in the php.ini.
"Maybe it doesn't depend on the PHP version etc. but simply on what is typed in the php.ini. "
..... Yup that seems to be true !.
The real check we need in phplist is,
if (((bool)ini_get("safe_mode") === true ) && WARN_ABOUT_PHP_SETTINGS)
rather than just the current phplist code of just if (ini_get("safe_mode") && WARN_ABOUT_PHP_SETTINGS)
Why ? One of those things in how php interprets anything from 0,1,on,ON,off,Off and so on for the safe_mode setting in the php.ini file.
We don't always know what people use so we need to cast it to a boolean first because booleans in the .ini files can return the string. This is how php does it anyway ( or rather this seems to be what the phpinfo() shows it does).
If someone does accidentally use On as the php online guide suggests e.g. it says here http://www.php.net/manual/en/ini.sect.safe-mode.php that "Whether to enable PHP's safe mode. If PHP is compiled with --enable-safe-mode then defaults to On, otherwise Off. "
So though it is a boolean it happily accepts any of safe_mode="Off" or "off" or "on" or "On" and ini_get() returns "off" if you use that.
We don't know what hosting companies set and they may set in a way that php still works fine but that (ini_get("safe_mode")) test fails to work as expected. Thus we should cast it first and then test for true.
||Actually that won't work right as (bool) doesn't cast strings. I'll find a more inclusive solution. Looking at the source for PHP itself the (Zend) parser for the .ini file is a heck of a lot more comprehensive than just true false.|
||maybe the whole safe_mode stuff should be removed. It'll be removed in php 6 anyway|
OK I looked at the PHP source code and AFAIKS we need to look for on, yes and true as well as numerical 1 and guess what if they are set as stings then the get returned as strings even though they get parsed correctly. Why didn't the PHP people provide a ini_get_boolean() kind of function that emulated the parser ?
Anyway here is something that will work.....
if (((strtolower(@ini_get('safe_mode')) == 'on') ||
(strtolower(@ini_get('safe_mode')) == 'yes') ||
(strtolower(@ini_get('safe_mode')) == 'true') ||
(ini_get("safe_mode") == 1 )) && WARN_ABOUT_PHP_SETTINGS)
...but yes safe_mode is deprecated from php 5.3.0 and removed in 6.0. My hoster is fairly up to date and runs 5.2.8 so it'll be a while yet before we see all sites on 6.0 so we still have to test for safe_mode if it is important.
||Confirmed on latest CentOS. Just upgraded phpList hoping this would be fixed.|