Dynamo

5 replies to this thread. Most Recent

JDW

2 Jun 2015, 9:13 am

PHP & Safe Mode

I am still learning PHP and experimenting with code. I read that the following code should print “Goodbye” and “Sleeping…” but that it should NOT print “Done!” However, when it executes on my server (a hosted web space), it prints all 3:

<?php
    function say_goodbye() {
        print "Goodbye!<br>";
    }
    register_shutdown_function("say_goodbye");
    set_time_limit(1);
    print "Sleeping...<br>";
    sleep(2);
    print "Done!";
?>
Sleeping...
Done!
Goodbye!

According to the PHP documentation, set_time_limit() has no effect when SAFE MODE is enabled on the server, which would explain why all 3 print statements above display in the browser window:

http://php.net/manual/en/function.set-time-limit.php

And when I run phpinfo() on my server and view the content in-browser, within the Configure Command section it says:

‘—enable-safe-mode’

All this indicates that SAFE MODE is indeed ENABLED on my server (Apache).

However, there is something strange going on. According to the PHP manual on “Security & Safe Mode”, the following code should result in an error on my server if Safe Mode is Enabled:

<?php
 echo '<pre>';
 readfile('/etc/passwd'); 
 echo '</pre>';
?>

But in fact, the above code displays the full list of logins, such as:

root:x:0:0:root:/root:/bin/bash

and my own login, and everyone else registered on the server!

My server is running PHP version 5.3.27, if that matters.

I would appreciate hearing your thoughts.

Thanks,

James Wages

waltd

2 Jun 2015, 11:15 am

Safe mode is an odd thing, it is meant to secure the server from certain types of attack, but it really is theater in my opinion, and it usually leads to a bunch of hard to diagnose bugs in otherwise normal PHP code. To see if the PHP interpreter is really convinced that it is in safe mode, create a phpinfo() page and visit it in a browser. (Just a plain text file named something.pho with <?php phpinfo(); ?> in it.) You will see two values opposite each parameter in the server: global and local (name uncertain). These refer to what the main ini file sets and what the local environment is really doing. The fact that the server was compiled with —enable-safe-mode just means that that option was added to the server, not that it is on or even on locally. (Config files can override one another, just like CSS, so the nearest one wins.)

Find out what is really going on in the local environment, and then we can tackle the rest of the problem.

Walter

On Jun 2, 2015, at 5:13 AM, JDW <[email protected]> wrote:

I am still learning PHP and experimenting with code. I read that the following code should print “Goodbye” and “Sleeping…” but that it should NOT print “Done!” However, when it executes on my server (a hosted web space), it prints all 3:

<?php
>    function say_goodbye() {
>        print "Goodbye!<br>";
>    }
>    register_shutdown_function("say_goodbye");
>    set_time_limit(1);
>    print "Sleeping...<br>";
>    sleep(2);
>    print "Done!";
> ?>
Sleeping...
Done!
Goodbye!

According to the PHP documentation, set_time_limit() has no effect when SAFE MODE is enabled on the server, which would explain why all 3 print statements above display in the browser window:

http://php.net/manual/en/function.set-time-limit.php

And when I run phpinfo() on my server and view the content in-browser, within the Configure Command section it says:

‘—enable-safe-mode’

All this indicates that SAFE MODE is indeed ENABLED on my server (Apache).

However, there is something strange going on. According to the PHP manual on “Security & Safe Mode”, the following code should result in an error on my server if Safe Mode is Enabled:

<?php
> echo '<pre>';
> readfile('/etc/passwd'); 
> echo '</pre>';
> ?>

But in fact, the above code displays the full list of logins, such as:

root:x:0:0:root:/root:/bin/bash

and my own login, and everyone else registered on the server!

My server is running PHP version 5.3.27, if that matters.

I would appreciate hearing your thoughts.

Thanks,

James Wages

Freeway user since 1997

http://www.walterdavisstudio.com

David Ledger

2 Jun 2015, 11:29 am

On 2 Jun 2015, at 10:13, JDW wrote:

I am still learning PHP and experimenting with code. I read that the following code should print “Goodbye” and “Sleeping…” but that it should NOT print “Done!” However, when it executes on my server (a hosted web space), it prints all 3:

<?php
>    function say_goodbye() {
>        print "Goodbye!<br>";
>    }
>    register_shutdown_function("say_goodbye");
>    set_time_limit(1);
>    print "Sleeping...<br>";
>    sleep(2);
>    print "Done!";
> ?>
Sleeping...
Done!
Goodbye!

According to the PHP documentation, set_time_limit() has no effect when SAFE MODE is enabled on the server, which would explain why all 3 print statements above display in the browser window:

http://php.net/manual/en/function.set-time-limit.php

A ‘sleep’ merely relinquishes the cpu and takes the current process off the run queue for a while. Wallclock time advances but execution time does not during those two seconds. It’s execution time that is limited by set_time_limit().

As for the file access in Safe Mode, from the online manual it seems that Safe Mode is a mess. There are several ‘ifs’ and ‘buts’ regarding other modes, the OS, the PHP version. My main server does not set Safe Mode so I’m not used to working with it. Unless someone else comes up with something useful I’d suggest you use your test results rather than the documentation as the indicator as to how your system works in this case.

David

And when I run phpinfo() on my server and view the content in-browser, within the Configure Command section it says:

‘—enable-safe-mode’

All this indicates that SAFE MODE is indeed ENABLED on my server (Apache).

However, there is something strange going on. According to the PHP manual on “Security & Safe Mode”, the following code should result in an error on my server if Safe Mode is Enabled:

<?php
> echo '<pre>';
> readfile('/etc/passwd'); 
> echo '</pre>';
> ?>

But in fact, the above code displays the full list of logins, such as:

root:x:0:0:root:/root:/bin/bash

and my own login, and everyone else registered on the server!

My server is running PHP version 5.3.27, if that matters.

I would appreciate hearing your thoughts.

Thanks,

James Wages

JDW

2 Jun 2015, 1:20 pm

Thank you for the guidance, Walter. I just now confirmed that the “safe_mode” directive for both the Local and Master values is set to OFF on my server.

So I am now pondering set_time_limit() again. David, perhaps you would have some additional thoughts on this?

Note that the example code I am running was pulled from the following page, which explains that ‘the “Done!” print line will never be executed, because the time limit is set to 1, and the sleep() function is called with 2 as its parameter, so the script will sleep for 2 seconds. As a result, “Sleeping…” gets printed, followed probably by a warning about the script going over its time limit, then the shutdown function gets called.’

http://www.hackingwithphp.com/4/13/0/connection-related-functions

But like I said in my opening post, “Done!” gets printed to the browser window. That is the source of my confusion here.

Thanks.

waltd

2 Jun 2015, 11:23 pm

Execution time is not the same as clock time. Sleep stops the execution time, so if you set it to sleep 2 seconds, the wall clock will advance 2 seconds while the execution clock is stopped. When sleep finishes, the execution clock starts running again, and then the command after that runs. From the execution clock’s standpoint, no time has elapsed, so the set_timeout function doesn’t see that any time has passed. I don’t see how this example would ever do what they claim it should do.

Walter

On Jun 2, 2015, at 9:19 AM, JDW <[email protected]> wrote:

Thank you for the guidance, Walter. I just now confirmed that the “safe_mode” directive for both the Local and Master values is set to OFF on my server.

So I am now pondering set_time_limit() again. David, perhaps you would have some additional thoughts on this?

Note that the example code I am running was pulled from the following page, which explains that ‘the “Done!” print line will never be executed, because the time limit is set to 1, and the sleep() function is called with 2 as its parameter, so the script will sleep for 2 seconds. As a result, “Sleeping…” gets printed, followed probably by a warning about the script going over its time limit, then the shutdown function gets called.’

http://www.hackingwithphp.com/4/13/0/connection-related-functions

But like I said in my opening post, “Done!” gets printed to the browser window. That is the source of my confusion here.

Thanks.

Freeway user since 1997

http://www.walterdavisstudio.com

Back to Top

JDW

3 Jun 2015, 2:49 am

Understood.

Thank you, Walter.

—James W.