Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:13645
Return-Path: <sterling.hughes@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 52966 invoked by uid 1010); 31 Oct 2004 18:46:28 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 52940 invoked from network); 31 Oct 2004 18:46:28 -0000
Received: from unknown (HELO rproxy.gmail.com) (64.233.170.193)
  by pb1.pair.com with SMTP; 31 Oct 2004 18:46:28 -0000
Received: by rproxy.gmail.com with SMTP id 76so77522rnl
        for <internals@lists.php.net>; Sun, 31 Oct 2004 10:46:28 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references;
        b=grDSU3jBi8lXKXsp1dUi+7AXMllZDyRoXy90g9DstDNamq8OSfQ886h70IbC617UNbnyy6YnP4rcjmupZs+CQ4UgB/h84HkWhRXENZmsPVg6Oc8WVd4pDTYD/YeGDa5cBmfsU/8cLsO+SH1B9oel1lywjfxIFhjhnTldyF42cD4=
Received: by 10.38.66.42 with SMTP id o42mr289683rna;
        Sun, 31 Oct 2004 10:46:28 -0800 (PST)
Received: by 10.38.75.76 with HTTP; Sun, 31 Oct 2004 10:46:28 -0800 (PST)
Message-ID: <24e5f3b704103110467c921a35@mail.gmail.com>
Date: Sun, 31 Oct 2004 10:46:28 -0800
Reply-To: sterling@apache.org
To: Antony Dovgal <tony2001@phpclub.net>
Cc: internals@lists.php.net
In-Reply-To: <20041030155112.600efdf0.tony2001@phpclub.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
References: <41811956.4050405@caedmon.net>
	 <20041029105149.3b150c7d.tony2001@phpclub.net>
	 <24e5f3b704102901044714577f@mail.gmail.com>
	 <20041029122028.2a0e9fa2.tony2001@phpclub.net>
	 <20041029162608.GE31167@bagend.shire>
	 <20041030155112.600efdf0.tony2001@phpclub.net>
Subject: Re: [PHP-DEV] curl_init() is bypassing safe_mode & open_basedir restrictions
From: sterling.hughes@gmail.com (Sterling Hughes)

I still consider adding such things wrong....

-sterling

On Sat, 30 Oct 2004 15:51:12 +0400, Antony Dovgal <tony2001@phpclub.net> wrote:
> On Fri, 29 Oct 2004 16:26:08 +0000
> 
> 
> Curt Zirzow <curt@php.net> wrote:
> 
> > * Thus wrote Antony Dovgal:
> > > On Fri, 29 Oct 2004 01:04:23 -0700
> > > Sterling Hughes <sterling.hughes@gmail.com> wrote:
> > >
> > > > no....  curl does not need to respect php's safemode, adding such
> > > > checks at this level is wrong.  people who compile curl, can do so
> > > > without local file access, and this will solve their problem.
> > >
> > > agree, curl doesn't need to respect safemode, but PHP does.
> > > we're talking about PHP's extension, right ?
> >
> > One thing I noticed in some testing was the host part in the
> > file:// url has no meaning so:
> >
> >   curl_init('file://whateveryouwant/etc/group');
> 
> yup, I see it now.
> I can change the patch to check this too.
> 
> Currently I'm waiting for Sterling's response.
> It's senseless to add any additional checks if he still considers
> that adding such things is wrong.
> 
> 
> 
> --
> Wbr,
> Antony Dovgal aka tony2001
> tony2001@phpclub.net || antony@dovgal.com
> 
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
> 
>