Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:13106 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 81004 invoked by uid 1010); 1 Oct 2004 19:58:12 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 80978 invoked from network); 1 Oct 2004 19:58:12 -0000 Received: from unknown (HELO colo.lerdorf.com) (66.198.51.121) by pb1.pair.com with SMTP; 1 Oct 2004 19:58:12 -0000 Received: from lerdorf.com (lerdorf.com [66.198.51.121]) by colo.lerdorf.com (8.13.1/8.13.1/Debian-14) with ESMTP id i91Jw6ea009657; Fri, 1 Oct 2004 12:58:06 -0700 Date: Fri, 1 Oct 2004 12:58:06 -0700 (PDT) X-X-Sender: rasmus@colo To: Sara Golemon cc: Andi Gutmans , internals@lists.php.net In-Reply-To: <008701c4a7ed$ffd58e90$af87e5a9@ohr.berkeley.edu> Message-ID: References: <5.1.0.14.2.20040930225715.02f0e4b0@localhost> <5.1.0.14.2.20041001113226.02efa7e0@localhost> <008701c4a7ed$ffd58e90$af87e5a9@ohr.berkeley.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: [PHP-DEV] Re: realpath patch From: rasmus@php.net (Rasmus Lerdorf) On Fri, 1 Oct 2004, Sara Golemon wrote: > > The > > only case that trips us up is the one where a user has direct access to > > create whatever symlinks he wants in his own directory and then by hitting > > that symlink through the web server he is effectively reading any file the > > web server user id has permission to read and thereby bypassing safemode. > > > I wouldn't consider it uncommon for shared hosting users to have a shell > account.... I haven't really kept up with what ISP's are doing these days, but I would hope they would be chroot'ing ot jail'ing these shell accounts? -Rasmus