2 files changed, 31 insertions, 0 deletions

diff --git a/ext/oci8/oci8.c b/ext/oci8/oci8.c
index 5fb8f9ff7e..051e177c1d 100644
--- a/ext/oci8/oci8.c
+++ b/ext/oci8/oci8.c
@@ -1012,6 +1012,16 @@ php_oci_connection *php_oci_do_connect_ex(char *username, int username_len, char
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Privileged connect is disabled. Enable oci8.privileged_connect to be able to connect as SYSOPER or SYSDBA");
 				return NULL;
 			}
+			/*  Disable privileged connections in Safe Mode (N.b. safe mode has been removed in PHP 6 anyway) */
+			if (PG(safe_mode)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Privileged connect is disabled in Safe Mode");
+				return NULL;
+			}
+			/* Increase security by not caching privileged
+			 * oci_pconnect() connections. The connection becomes
+			 * equivalent to oci_connect() or oci_new_connect().
+			 */
+			persistent = 0;
 			break;
 		default:
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid session mode specified (%ld)", session_mode);
diff --git a/ext/oci8/tests/oci8safemode.phpt b/ext/oci8/tests/oci8safemode.phpt
new file mode 100644
index 0000000000..4662b44487
--- /dev/null
+++ b/ext/oci8/tests/oci8safemode.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Test functionality disabled in safe mode
+--SKIPIF--
+<?php if (!extension_loaded('oci8')) die("skip no oci8 extension"); ?>
+--INI--
+safe_mode=On
+oci8.privileged_connect=On
+--FILE--
+<?php
+
+$c = oci_connect("hr", "hrpwd", "//localhost/XE", null, OCI_SYSDBA);
+
+$r = oci_password_change($c, "hr", "hrpwd", "hrpwd");
+
+echo "Done\n";
+?>
+--EXPECTF--
+Warning: oci_connect(): Privileged connect is disabled in Safe Mode in %s on line %d
+
+Warning: oci_password_change(): is disabled in Safe Mode in %s on line %d
+Done