Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13595
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
To: internals@lists.php.net
Date: Fri, 29 Oct 2004 17:58:06 +0200
Message-ID: <epp4o09o6dmmav36eamjajfqtm59m7oj61@4ax.com>
References: <41811956.4050405@caedmon.net>  <20041029105149.3b150c7d.tony2001@phpclub.net> <24e5f3b704102901044714577f@mail.gmail.com> <4182029F.2040700@ailis.de> <Pine.LNX.4.58.0410291111190.2157@localhost>
In-Reply-To: <Pine.LNX.4.58.0410291111190.2157@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] curl_init() is bypassing safe_mode & open_basedir
From: php@ter.dk (Peter Brodersen)

On Fri, 29 Oct 2004 11:13:33 +0200 (CEST), in php.internals
derick@php.net (Derick Rethans) wrote:

>Myth: Safe mode makes a PHP installation safe.
>Wrong! It might make it a bit safer, but there is always a possibility
>to work around it.

On the other hand, I think it's a pity not to freshen up code, just
because someone turns the argument around: "There is always a
possibility to work around it".

I think that's the case with the glob()-issue. There is some weirdness
with the way that glob() behaves, but there was a reason for adding
the safe_mode-check in the first place. There is some inconsistensy in
first adding some features with defect safe_mode-aware checks, and not
fixing these defects, because safe_mode is a hack. Otherwise, remove
safe_mode totally, once and for all.

But before safe_mode is politically decided bad and should be removed
entirely, one must respect that it is present and part of the system -
for better and for worse.


By the way, since it's a myth, you might stop repeating the myth,
since no-one else bombastically claimed that "Safe mode makes a PHP
installation safe" :)

--=20
- Peter Brodersen