Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:13591 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67137 invoked by uid 1010); 29 Oct 2004 08:45:57 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 67106 invoked from network); 29 Oct 2004 08:45:57 -0000 Received: from unknown (HELO malcolm.ailis.de) (217.115.149.166) by pb1.pair.com with SMTP; 29 Oct 2004 08:45:57 -0000 Received: (qmail 9457 invoked by uid 64014); 29 Oct 2004 08:47:13 -0000 Received: from unknown (HELO ?172.16.0.1?) (k@62.206.245.30) by malcolm.ailis.de with SMTP; 29 Oct 2004 08:47:12 -0000 Message-ID: <4182029F.2040700@ailis.de> Date: Fri, 29 Oct 2004 10:43:11 +0200 User-Agent: Mozilla Thunderbird 0.8 (X11/20040926) X-Accept-Language: en-us, en MIME-Version: 1.0 To: internals@lists.php.net References: <41811956.4050405@caedmon.net> <20041029105149.3b150c7d.tony2001@phpclub.net> <24e5f3b704102901044714577f@mail.gmail.com> In-Reply-To: <24e5f3b704102901044714577f@mail.gmail.com> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS 0.3.12 Subject: Re: [PHP-DEV] curl_init() is bypassing safe_mode & open_basedir restrictions From: k-php-dev@ailis.de (Klaus Reimer) Sterling Hughes wrote: > no.... curl does not need to respect php's safemode, adding such > checks at this level is wrong. people who compile curl, can do so > without local file access, and this will solve their problem. What about people who use precompiled packages like the Debian packages? They don't have a "special" Curl for PHP. The curl debian package will never "disable" file-support just because it breaks a feature of PHP. So Debian users can't use safemode then if they need the curl extension and if they don't want (or don't know how) to compile the stuff. And what about PHP installations on Windows (if there is a safe-mode and a curl extension, don't know). Especially Windows Users are not used to "compile" PHP. They are just downloading and installing DLLs. In my opinion it would make sense to check the file://-URL inside the PHP extension before it goes to the curl library if safe mode is enabled. There must already be a check for this for PHP's fopen function, maybe this check can be re-used for this? Safe-mode is a feature of PHP so PHP should make sure that this feature is working with all functions included in PHP if it's possible to secure the function (otherwise the user must disable it). And there is already a patch to do it, so it seems to be possible to secure the curl functions. -- Bye, K (FidoNet: 2:240/2188.18) [A735 47EC D87B 1F15 C1E9 53D3 AA03 6173 A723 E391] (Finger k@ailis.de to get public key)