Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:13648 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 86068 invoked by uid 1010); 31 Oct 2004 21:51:40 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 85812 invoked from network); 31 Oct 2004 21:51:39 -0000 Received: from unknown (HELO rproxy.gmail.com) (64.233.170.197) by pb1.pair.com with SMTP; 31 Oct 2004 21:51:39 -0000 Received: by rproxy.gmail.com with SMTP id 76so84598rnl for ; Sun, 31 Oct 2004 13:51:39 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=PQ2HTvckgqrMCseaKa8PGHZklOhcCKI5xIjzhFtcUtf9TNmV9mV2NfzNG9S3wMXMo6Iku2SYes8M3W0ZlSbyDBSjRFRipHnpXG6k0g3l0nyMUCJrYLzmFT6GshiVYzgVhb725IbyDX5n94aZVM18gGzH6anjp31q0NyBuX4f4zU= Received: by 10.38.164.74 with SMTP id m74mr360950rne; Sun, 31 Oct 2004 13:51:38 -0800 (PST) Received: by 10.38.73.20 with HTTP; Sun, 31 Oct 2004 13:51:38 -0800 (PST) Message-ID: Date: Sun, 31 Oct 2004 16:51:38 -0500 Reply-To: Adam Greenfield To: Antony Dovgal Cc: internals@lists.php.net In-Reply-To: <20041101011954.753eca66.tony2001@phpclub.net> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <41811956.4050405@caedmon.net> <20041029105149.3b150c7d.tony2001@phpclub.net> <24e5f3b704102901044714577f@mail.gmail.com> <20041029122028.2a0e9fa2.tony2001@phpclub.net> <20041029162608.GE31167@bagend.shire> <20041030155112.600efdf0.tony2001@phpclub.net> <24e5f3b704103110467c921a35@mail.gmail.com> <20041101011954.753eca66.tony2001@phpclub.net> Subject: Re: [PHP-DEV] curl_init() is bypassing safe_mode & open_basedir restrictions From: adam.greenfield@gmail.com (Adam Greenfield) On Mon, 1 Nov 2004 01:19:54 +0300, Antony Dovgal wrote: > On Sun, 31 Oct 2004 10:46:28 -0800 > Sterling Hughes wrote: > > > I still consider adding such things wrong.... > > Sterling, I still think that you can be right, but I'd > like to hear some arguments. > "This is wrong" or "this is silly" aren't too informative. > I think the best argument came from Derick > Privilege seperation should be a function of a > webserver, not of a scripting language and therefore we shall not put > hacks in extensions because libraries do not adhere to safe mode. It's > almost certain that one can never put all the necessary checks in the > extension anyway. Speaking as an administrator who would be particularly affected by this situation (I work at a web hosting company that does a fair amount of shared web hosting) I could not agree more. Safemode should not attempt to modify the actions of the underlying libraries. Setting up a solid shared hosting platform takes a lot more than just one PHP option, and if you don't want this functionality in curl on your system, you should remove it from curl. However that is just my 2 cents. -- Adam C. Greenfield