Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105633 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 96026 invoked from network); 7 May 2019 22:04:39 -0000 Received: from unknown (HELO mail-pg1-f172.google.com) (209.85.215.172) by pb1.pair.com with SMTP; 7 May 2019 22:04:39 -0000 Received: by mail-pg1-f172.google.com with SMTP id p6so8766067pgh.9 for ; Tue, 07 May 2019 12:08:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=3u1jMkNWmyd0AzJonDv8aznIvDYA85Y8yNZveVA0PQg=; b=py2R40CHeSkFek57b+T9c+mrs/FebaGQ8O2JW7NrOlsJ/wTvSpn7VyOHikLcn3UJhV 99WSw0pd5mcRyFYCt2p/+c/Bme65BLjUwn5Z/5PgVX5ir8oItHTUUD+e7Ip3ZYHbdKBe xysniP6DCaI7pdFvZQELsQgwnsnOpTwgXGnuSwg9XAEvqorz5HE7bIAiRy0pYfHBkmH/ 5ISXfADNpmsg5MsAFg6kRVr375osviihx3QZeJ3iurz/IlZG55Q6epj7LOi8P0sPfAO9 dJUn0OfeRMWWK9TGf8GaBtglrMvLUyBHeK5SUtbL8R/Cb1oxefuKIrtFC1ECnOTrqQ0y JD/g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=3u1jMkNWmyd0AzJonDv8aznIvDYA85Y8yNZveVA0PQg=; b=SmfchJFku784nAndumKjAehRhpS8112z6srke8q+BhEHyEAmTelhhwuUdRNTkD2IYz nVki+/VLNXw0p0hthMHJF5w6rbqQ45O6p06oTiYyJhT9tJP9VkQPUG46lac4LFkvV3j5 k4m3woC1Spb9dv2tBhydqyzQV9E0K30XWGU6ZdUzWE65BW+1aubUUQZ/pL6rT7FmEFfr 3dIHN/lp8KN6RBODG7dGmSPCZIkA1bqNMx5QKVEY4pK1riH+6kKhNutl2wlBfW1yU9Xf D3F3n/kM3EwggU6m/0OU3X5uRNmCmvAcTgw4Cl2b+I45MjG+aBWbnLmY2v7K8Idhc6wO AXDg== X-Gm-Message-State: APjAAAVmnPQBkkEMqTWawIKYd11xJa9EOKiQQIKguxHIr0MWNDZ1GCP2 /v9SHUyfp/mR77Lzubz4EB9h+yY/7Q== X-Google-Smtp-Source: APXvYqybOq83RqoUEEDlccye8nIGpNlr/5C4ho2pr9SxLbq3lwxmjZ7c5oCtU9VK3bKkGG9Hgb3VkQ== X-Received: by 2002:a62:4e86:: with SMTP id c128mr42561090pfb.39.1557256115364; Tue, 07 May 2019 12:08:35 -0700 (PDT) Received: from Stas-Pro-2016.local (c-24-4-176-254.hsd1.ca.comcast.net. [24.4.176.254]) by smtp.gmail.com with ESMTPSA id f64sm6324738pfc.62.2019.05.07.12.08.34 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 07 May 2019 12:08:34 -0700 (PDT) To: Rowan Collins , PHP internals References: Openpgp: preference=signencrypt Autocrypt: addr=smalyshev@gmail.com; prefer-encrypt=mutual; keydata= mQMuBE9mqaARCACFSqcGmNunkjQQu3X+yXnTmFeEkvM4JXZTOBdR8aEevNGmmFEfyvjaDjWi 9hcwp4E/lYtC+P7VsVjM1OSX9eq0jC/lGL0ZyRXek+mNy0n5H1NSuTpf9Y18LMqhc4G+RU+L cNiZ9K0DJuOOvNLPxW7OHZguxb3wdKPXNVa2jyRfJAKm2uaJJMT1mTmFT9a0Q8SKr+mUrrJk uG0H2o6SzrKt8Wwoint1eh67zVsJaJtQFchnEZnlawIcqP2yC4nLGR3MkubowxoEBYCZet18 aHVVRbvpG2Qtob8Lu5xrsGbmXymTkHTdpvkfcJFADa8MzOL90zOxXwbGfbIZOlh5En8jAQCX lfnx2eQL3BSW/6XANa51dbWiEp1d1BAkpGKtZvlk0Qf+M9WAi+9aXMe3xP5krxtgnRNUf2WN 6Zdy2MxL1RRJCFbytLhl0ronC49BsGYVGshdEH8xhBbiIOJKuVZ/DTl9bEm7P9c7CC7iJyVC khUAhouH6xzZQNLR+RU+QebYzXypVfl99Qk7EdMmr/WAZCHLuvanyqepC5EBsa3VnAfQemSN oBeGBKWWLiOsPjvS72+y1z4RUMAfXHn4l/sFMt8zt7/74AmJPwZquV41p4mPO12V4+xPyc6R sB84sfsk2QVivU8w8AkvGQeYjXoz7Iwao95+fWteVzZ36KRQvUckP8pGjHlDXnHxJ0HI1I/k OBZSjwRwUf0dd73y6erPhbLk+gf+NdI3H9KGJBzG5/rVyWKwUeQ9d5ud4jTJRkQGvAP5pg76 vEa9dogbpe4W5Z+0BfbiJSnQmQWSHiZddj/t33ptbup44Ck6ZTgdlmFYMLF1hR47PIZTDKER EuKYGci/vq8snZvEJP9YCw/TtiHcMdrMKcY/+Lp8lQO0GHLPB9glVhnC0db6l1Xpg1CMI8/R ozBMcij30EgATggC/y2zbiqAFoS9FN9nXPbe4phStqABEyeZ+nXudt7PUYTjVgcrqo8bHZCi sBobWC7OnKyUzxVxzUeuPkIfmZuzkLaMw2McQdvwwsNvQ0DzaLP30c1Xsm/7EIYJcOWpzlVJ 5QrdmE0/BbQyU3RhbmlzbGF2IE1hbHlzaGV2IChQSFAga2V5KSA8c21hbHlzaGV2QGdtYWls LmNvbT6IegQTEQgAIgUCT2aqtAIbAwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQL3lW vF2gS12XMwD9HuRIolSwIK77u8EY461y2u6sbX36n5/uo/LDQuxoi3sA/0MvpnvzOhv9Iufv vsZEj3E7i3h+iD5648YMwfTFCij+uQINBE9mqaAQCADfZPMpjZkkGZj3BY/7ApoLq4mwqzbh +CpLXwNn20tFNvSXfb8RdeXvVEb7Scx+W9qYpiaun2iXJgCVH8fgpZpR856ulT1q6uCG++CX ubEvip/eJkZl93/84h04KQJwsgOrAh0Om3OePRn8Pr+++0LNS0EL8uX/YHeTOGOnnmTqYTey SBVFdov6L4mepddfjekicKQqhL7mZh/xuq29JijT0uNNX8v4vDWQDu5dlAcdd+uB3gcXMD/P ginD11zp+6wtrWCm/+yBqpvDwXQX5PGUnwvbRfl7Ay3MmwmoXiecZMg0dwTSc7e0lhB4HGRH ZdBMJB4rHUVGdzqujK/ctOvrAAMFB/0Utb76Qe6sCMlHxVAmeE/fbo7Pi05btZ/x01r67dHf aMSP0riCKJ7M0OW+jAXtu9+z/BVnYisW67WWfxl2cS5tZDgiHgJARXWUOO72+sScHP8KQmTl 1z16gyKbwY3SmyBkwcpOL35nhUWNLy93syPoY6sZUTikr2bZYukHDQ33XBPs4e6MbWKfsa9q aVmnlOF3k5UqChjutfHaEa4Q7VP4wBIpphHBi9MI16oJIzzBPbGl2uoedjwiZ6QeQZnSuOVY ZxU2d3lRA8PrtfFN1VSlpEm/VcAvtieHUYWHN0wOu+cp3Slr5XJVNjTjJhl28SlinMME54mK AGf2Ldr/dRwXiGEEGBEIAAkFAk9mqaACGwwACgkQL3lWvF2gS126EQD/VVd3FgjLKglClRQP zdfU847tqDK4zJjbmRv5vLLwoE0A+wbrQs7jVGU3NrS0AIl5vUmewpp2BKzSkepy23nWmejw Message-ID: <4d8cfae0-41fc-b11b-6b00-9cee8c3d05b6@gmail.com> Date: Tue, 7 May 2019 12:08:34 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] open_basedir? From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > If scenario (a) gives even a slight security advantage over scenario (b), > we should think very carefully before removing the feature. There's definitely _some_ security advantage, defense is always in layers, and while open_basedir can not be made secure, it certainly can avert _some_ attacks and prevent _some_ bugs from becoming a security catastrophe. *Relying* on it is wrong, but using it while being fully aware it is just a partial protection that is only good for certain things but not others is IMO fine. -- Stas Malyshev smalyshev@gmail.com