Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:11557
Return-Path: <rasmus@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 33612 invoked by uid 1010); 25 Jul 2004 18:19:12 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 33588 invoked from network); 25 Jul 2004 18:19:12 -0000
Received: from unknown (HELO colo.lerdorf.com) (66.198.51.121)
  by pb1.pair.com with SMTP; 25 Jul 2004 18:19:12 -0000
Received: from [192.168.1.105] (c-24-6-1-90.client.comcast.net [24.6.1.90])
	by colo.lerdorf.com (8.12.11/8.12.11/Debian-5) with ESMTP id i6PIJAYc009270;
	Sun, 25 Jul 2004 11:19:11 -0700
Date: Sun, 25 Jul 2004 11:19:05 -0700 (PDT)
X-X-Sender: rasmus@thinkpad.lerdorf.com
To: Andi Gutmans <andi@zend.com>
cc: internals@lists.php.net
In-Reply-To: <5.1.0.14.2.20040725104701.02789d40@127.0.0.1>
Message-ID: <Pine.LNX.4.58.0407251106050.28603@thinkpad.lerdorf.com>
References: <5.1.0.14.2.20040724003444.034ea690@127.0.0.1>
 <5.1.0.14.2.20040724003444.034ea690@127.0.0.1> <5.1.0.14.2.20040725104701.02789d40@127.0.0.1>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
	version=2.63
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on colo
Subject: Re: [PHP-DEV] Everyone on the road?
From: rasmus@php.net (Rasmus Lerdorf)

On Sun, 25 Jul 2004, Andi Gutmans wrote:
> I think it's going to be quite hard and not really worthwhile to add 
> support for partial realpath(). In this case I like the kiss approach. It 
> gives a great bang for the buck and is very simple.

Well, there is another approach here.  There are only 2 places where we 
need the full paths.  The first is for the included_files list to be able 
to do the require_once/include_once check and the second is for the 
open_basedir mechanism.  There are a lot of people out there who do not 
use open_basedir and I would guess most people looking for maximum 
performance wouldn't be in a situation where they needed the open_basedir 
feature.  So the only real feature in question here is the *_once 
checking and even there you don't necessarily need the full path although 
without it you could potentially run into problems if you include the same 
file through 2 different relative paths or more obscurely if you 
deliberately change your cwd halfway through your script and include a 
file of the same name through the same relative path but this is not 
actually the same file.  In both cases you are basically going out of your 
way to trick the _once check.  At Yahoo I have been running everything 
with relative paths for well over a year now without any problems.

So, some approaches:

 a. compile-time switch to disable full paths completely

 b. ini switch to disable full paths completely unless open_basedir is enabled

 c. ini switch to disable full paths from include/require but enable them 
    for include_once/require_once.  That is, if you want *_once protection
    you use include_once/require_once.  If you don't, you just use 
    include/require and include/require would not populate the 
    included_files list.

-Rasmus