Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13631
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Date: Sat, 30 Oct 2004 15:51:12 +0400
To: internals@lists.php.net
Message-ID: <20041030155112.600efdf0.tony2001@phpclub.net>
In-Reply-To: <20041029162608.GE31167@bagend.shire>
References: <41811956.4050405@caedmon.net>
	<20041029105149.3b150c7d.tony2001@phpclub.net>
	<24e5f3b704102901044714577f@mail.gmail.com>
	<20041029122028.2a0e9fa2.tony2001@phpclub.net>
	<20041029162608.GE31167@bagend.shire>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] curl_init() is bypassing safe_mode & open_basedir
 restrictions
From: tony2001@phpclub.net (Antony Dovgal)

On Fri, 29 Oct 2004 16:26:08 +0000
Curt Zirzow <curt@php.net> wrote:

> * Thus wrote Antony Dovgal:
> > On Fri, 29 Oct 2004 01:04:23 -0700
> > Sterling Hughes <sterling.hughes@gmail.com> wrote:
> > 
> > > no....  curl does not need to respect php's safemode, adding such
> > > checks at this level is wrong.  people who compile curl, can do so
> > > without local file access, and this will solve their problem.
> > 
> > agree, curl doesn't need to respect safemode, but PHP does.
> > we're talking about PHP's extension, right ?
> 
> One thing I noticed in some testing was the host part in the
> file:// url has no meaning so:
> 
>   curl_init('file://whateveryouwant/etc/group');

yup, I see it now.
I can change the patch to check this too.

Currently I'm waiting for Sterling's response.
It's senseless to add any additional checks if he still considers 
that adding such things is wrong.

-- 
Wbr,
Antony Dovgal aka tony2001
tony2001@phpclub.net || antony@dovgal.com