Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13592
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 94183 invoked by uid 1010); 29 Oct 2004 09:13:52 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 94157 invoked from network); 29 Oct 2004 09:13:51 -0000
Received: from unknown (HELO jdi.jdimedia.nl) (212.204.192.51)
  by pb1.pair.com with SMTP; 29 Oct 2004 09:13:51 -0000
Received: from localhost (localhost [127.0.0.1])
	by jdi.jdimedia.nl (8.12.11/8.12.11) with ESMTP id i9T9Dpoj006712
	for <internals@lists.php.net>; Fri, 29 Oct 2004 11:13:51 +0200
Received: from localhost (localhost [127.0.0.1])
	by jdi.jdimedia.nl (8.12.11/8.12.11) with ESMTP id i9T9DXmk006671;
	Fri, 29 Oct 2004 11:13:35 +0200
Date: Fri, 29 Oct 2004 11:13:33 +0200 (CEST)
X-X-Sender: derick@localhost
To: Klaus Reimer <k-php-dev@ailis.de>
cc: internals@lists.php.net
In-Reply-To: <4182029F.2040700@ailis.de>
Message-ID: <Pine.LNX.4.58.0410291111190.2157@localhost>
References: <41811956.4050405@caedmon.net>  <20041029105149.3b150c7d.tony2001@phpclub.net>
 <24e5f3b704102901044714577f@mail.gmail.com> <4182029F.2040700@ailis.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by amavisd-new at jdimedia.nl
Subject: Re: [PHP-DEV] curl_init() is bypassing safe_mode & open_basedir
 restrictions
From: derick@php.net (Derick Rethans)

On Fri, 29 Oct 2004, Klaus Reimer wrote:

> Safe-mode is a feature of PHP so PHP should make sure that this feature
> is working with all functions included in PHP if it's possible to secure
> the function (otherwise the user must disable it). And there is already
> a patch to do it, so it seems to be possible to secure the curl functions.

Myth: Safe mode makes a PHP installation safe.
Wrong! It might make it a bit safer, but there is always a possibility
to work around it. Privilege seperation should be a function of a
webserver, not of a scripting language and therefore we shall not put
hacks in extensions because libraries do not adhere to safe mode. It's
almost certain that one can never put all the necessary checks in the
extension anyway.

Derick

-- 
Derick Rethans
http://derickrethans.nl | http://ez.no | http://xdebug.org