Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13598
Return-Path: <paul@rusko.us>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 72033 invoked by uid 1010); 29 Oct 2004 18:40:03 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 69433 invoked from network); 29 Oct 2004 18:39:41 -0000
Received: from unknown (HELO utopia.rusko.us) (207.44.144.89)
  by pb1.pair.com with SMTP; 29 Oct 2004 18:39:41 -0000
Received: from rusko (ool-44c0a1af.dyn.optonline.net [68.192.161.175])
	by utopia.rusko.us (Sendmail) with SMTP id 720EDBBBAD
	for <internals@lists.php.net>; Fri, 29 Oct 2004 14:39:35 -0400 (EDT)
Message-ID: <02e901c4bde6$7bce4560$0200a8c0@rusko>
To: <internals@lists.php.net>
References: <41811956.4050405@caedmon.net>  <20041029105149.3b150c7d.tony2001@phpclub.net> <24e5f3b704102901044714577f@mail.gmail.com> <4182029F.2040700@ailis.de> <Pine.LNX.4.58.0410291120310.17719@miranda.org> <Pine.LNX.4.58.0410291854560.5274@localhost>
Date: Fri, 29 Oct 2004 14:38:23 -0400
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
Subject: Re: [PHP-DEV] curl_init() is bypassing safe_mode & open_basedir restrictions
From: paul@rusko.us ("Paul G")


----- Original Message ----- 
From: "Derick Rethans" <derick@php.net>
To: "Adam Maccabee Trachtenberg" <adam@trachtenberg.com>
Cc: "Klaus Reimer" <k-php-dev@ailis.de>; <internals@lists.php.net>
Sent: Friday, October 29, 2004 12:55 PM
Subject: Re: [PHP-DEV] curl_init() is bypassing safe_mode & open_basedir
restrictions


> On Fri, 29 Oct 2004, Adam Maccabee Trachtenberg wrote:
>
> > On Fri, 29 Oct 2004, Klaus Reimer wrote:
> >
> > > Sterling Hughes wrote:
> > > > no....  curl does not need to respect php's safemode, adding such
> > > > checks at this level is wrong.  people who compile curl, can do so
> > > > without local file access, and this will solve their problem.
> > >
> > > What about people who use precompiled packages like the Debian
packages?
> > > They don't have a "special" Curl for PHP. The curl debian package will
> > > never "disable" file-support just because it breaks a feature of PHP.
So
> > > Debian users can't use safemode then if they need the curl extension
and
> > > if they don't want (or don't know how) to compile the stuff.
> >
> > Safe mode is for people who are running shared servers and want to
> > wall off areas. If you're doing this, you should be willing and able
> > to configure programs if necessary. I don't mind making ISP sys admins
> > configure cURL with a special flag, nor do I think it's too onerous a
burden.
>
>
> Exactly!

and what happens in the (admittedly unlikely) case where something else on
the same box depends on that feature being available in libcurl? i don't see
what is wrong in restricting the functionality exposed by the php curl
extension based on safe_mode in practice (as opposed to ideally) provided
the patch is clean, straightforward and without breakage side effects.

paul