SafeMode and PathInfo / 3.1CompatibilityMode or HighSecurity?

SafeMode and PathInfo / 3.1CompatibilityMode or HighSecurity?

by Vitor M. N. Fernandes -
Number of replies: 2

In 3.1 compatible mode (also known as safe_mode=on) I can't create dirs user.user only apache.user (02777) and I can't get my WebHosting company to set safe_mode_gid to on! That turns impossible to write files to dirs. I've read that moodle should address this... but when??

In High Security (also known as safe_mode=off) I can't use http://server/dir/script.php/dir/file.html (dummy) since path_info will not be setuped to enabled. With this disabled it is impossible to put SCORM deployment working because i.e.: (dummy files)
html: http://server/dir/script.php/dir/file.html with a local image.gif the browser tries to get it from http://server/dir/image.gif ! Relative paths don't work.

Those two situations are incompatible!!!
Moodle should, SHOULD work with safe_mode=on for compatibility questions! The dirs should have always user.user {ftp_mkdir()?} as the files and safe_mode troubles will end!!! ... but when?? 

Average of ratings: -
In reply to Vitor M. N. Fernandes

Re: SafeMode and PathInfo / 3.1CompatibilityMode or HighSecurity?

by Martin Dougiamas -
Picture of Core developers Picture of Documentation writers Picture of Moodle HQ Picture of Particularly helpful Moodlers Picture of Plugin developers Picture of Testers
Something that should help in SOME cases is going into 1.5 (see bug 2093), but by definition "safe" mode restricts scripts from writing files. Some safe mode settings (like safe_mode_gid) may be impossible to work around (other than by changing hosts to someone who knows more about web application security than to need PHPs unnecessary safe mode).
Average of ratings: -
In reply to Martin Dougiamas

Re: SafeMode and PathInfo / 3.1CompatibilityMode or HighSecurity?

by Vitor M. N. Fernandes -

TX for your info...
Now I opted for SafeMode (=on) since my webhost in HighSecurity (SafeMode=off) doens't allow slashed args "...dir/script.php/arg/arg...".
I've switched mkdir to ftp_mkdir that works just fine (started up by Dick Davies patch) and in SafeMode I own my dirs! (myuser.mygroup) ;)
Uploaded files are written as webuser.mygroup since I've changed all from 0777 to 02777 (other poster ideia ?) they inherit mode and GID.

But when unpacking a zip (with dirs with dirs / files ) trouble cames out of the box!!! Zip root files / folders are written as webuser.mygroup... and problem rises when something must go to a folder outside of root folder... SafeMode restrictions arise?? (no error is given but subfolders are empty?!) Unzip code bug??

If the zip could be unpacked and upload via FTP! I've a low experience on PHP but it seems that using FTP for uploads / mkdirs / etc... should solve everybodys problem. Any good PHP coder wants to try it out? Moodle would became imune to SafeMode... a VERY GOOD ADDON?! :D

Keep up the GOOD work Martin Dougiamas !

PS:
I've already read http://bugs.php.net/bug.php?id=24604 sad and much more... my problems now are multiple dir zip uploads...
For now I'm reunziping files to get the right owner/group on dirs/files! sad

Vitor M. N. Fernandes - http://www.vmnf.net/moodle

Average of ratings: -