From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 Description of problem: The "include" directive does not respect safe_mode constraints. Version-Release number of selected component (if applicable): php-4.1.2-7.2.6 How reproducible: Always Steps to Reproduce: 1. activate safe_mode 2. create a user php file with the content <?php include("/etc/passwd") ?> 3. point your browser at it Actual Results: You see the content of /etc/passwd Expected Results: You should get an error complaining about safe mode being in effect Additional info: It seems that the problem is already known: http://www.securityfocus.com/archive/1/329395/2003-07-17/2003-07-23/0
A further test shows that this bug only applies to absolute path includes. That is, <? include "../../../etc/passwd"; ?> fails as it should, while <? include "/etc/passwd"; ?> includes the file. The problem certainly lies in function "php_fopen_with_path", inside "main/fopen_wrappers.c"; as soon as I have time, will try and track it down more closely.
Forgive me for the fuss I've made... no bug in PHP, simply my /etc/php.ini which had the line safe_mode_include_dir = /usr/share/pear: with the ending colon... this caused every path to match.