Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13609
Return-Path: <derick@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 43564 invoked by uid 1010); 29 Oct 2004 23:03:40 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 43435 invoked from network); 29 Oct 2004 23:03:39 -0000
Received: from unknown (HELO jdi.jdimedia.nl) (212.204.192.51)
  by pb1.pair.com with SMTP; 29 Oct 2004 23:03:39 -0000
Received: from localhost (localhost [127.0.0.1])
	by jdi.jdimedia.nl (8.12.11/8.12.11) with ESMTP id i9TN3crR014119
	for <internals@lists.php.net>; Sat, 30 Oct 2004 01:03:38 +0200
Received: from localhost (localhost [127.0.0.1])
	by jdi.jdimedia.nl (8.12.11/8.12.11) with ESMTP id i9TN3LhF014059;
	Sat, 30 Oct 2004 01:03:21 +0200
Date: Sat, 30 Oct 2004 01:03:21 +0200 (CEST)
X-X-Sender: derick@localhost
To: Curt Zirzow <curt@php.net>
cc: internals@lists.php.net
In-Reply-To: <20041029162608.GE31167@bagend.shire>
Message-ID: <Pine.LNX.4.58.0410300102520.2454@localhost>
References: <41811956.4050405@caedmon.net> <20041029105149.3b150c7d.tony2001@phpclub.net>
 <24e5f3b704102901044714577f@mail.gmail.com> <20041029122028.2a0e9fa2.tony2001@phpclub.net>
 <20041029162608.GE31167@bagend.shire>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Virus-Scanned: by amavisd-new at jdimedia.nl
Subject: Re: [PHP-DEV] curl_init() is bypassing safe_mode & open_basedir
 restrictions
From: derick@php.net (Derick Rethans)

On Fri, 29 Oct 2004, Curt Zirzow wrote:

> * Thus wrote Antony Dovgal:
> > On Fri, 29 Oct 2004 01:04:23 -0700
> > Sterling Hughes <sterling.hughes@gmail.com> wrote:
> >
> > > no....  curl does not need to respect php's safemode, adding such
> > > checks at this level is wrong.  people who compile curl, can do so
> > > without local file access, and this will solve their problem.
> >
> > agree, curl doesn't need to respect safemode, but PHP does.
> > we're talking about PHP's extension, right ?
>
> One thing I noticed in some testing was the host part in the
> file:// url has no meaning so:
>
>   curl_init('file://whateveryouwant/etc/group');
>
> Works fine.

That's exactly what my point in an earlier mail meant:

 "It's almost certain that one can never put all the necessary checks in
  the extension anyway."

Derick

-- 
Derick Rethans
http://derickrethans.nl | http://ez.no | http://xdebug.org