[Phpmyadmin-devel] disabled functions for security

[Marc Delisle]

Garvin Hicking wrote:
> Hi Marc!
> 
> 
>>So, another suggestion.  We reverse the logic of this part of code.
>>
>>If we cannot detect that file uploads are disabled, we set $is_upload to
>>TRUE.
> 
> 
> No, that's not really what I meant. I just wanted to propose, let the user choose
> via $cfg[] option to override any autodetections for $is_upload. Like this:
> 
> $cfg['OverrideUpload'] = FALSE; // If set to TRUE, you can choose to override
> auto-detection of your PHP's ability to allow file uploads and ENABLE them by all
> means. Some PHP-installations permit the auto-detection function (ini_get) because
> of security issues so phpMyAdmin is not able to see, if you can or cannot use file
> uploads. WARNING: If your PHP installation is not able to allow file uploads, you
> will definitely get errors and warnings when setting this to true.
> 
> Should also beat any existing records for the longest variable comment. ;-))
> 
> Regards,
> Garvin.

Garvin,

I know it's not what you meant, that's why I said "another suggestion".
I don't think that we should add another config variable to workaround a
PHP bug. Config variables add to complexity, and most users don't read 
the doc.

The current is_upload philosophy avoids displaying the file selector
if we cannot detect that uploads are allowed. So if we reverse the 
logic, we will avoid displaying the file selector if we detect that
uploads are not allowed, and sometimes (where PHP is < 43000 and
ini_get() is not available), we will display a file selector that
won't work. I think that this is acceptable.

Marc