Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:22579
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 81319 invoked by uid 1010); 25 Mar 2006 16:56:02 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 81304 invoked from network); 25 Mar 2006 16:56:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Mar 2006 16:56:02 -0000
X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.5 (sometimes 2.4) (4)
Received: from ([204.11.219.139:37550] helo=lerdorf.com)
	by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP
	id D6/F9-11806-12675244 for <internals@lists.php.net>; Sat, 25 Mar 2006 11:56:01 -0500
Received: from [192.168.200.106] (c-24-6-5-134.hsd1.ca.comcast.net [24.6.5.134])
	(authenticated bits=0)
	by lerdorf.com (8.13.6/8.13.6/Debian-1) with ESMTP id k2PGtvk3004155
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Sat, 25 Mar 2006 08:55:58 -0800
Message-ID: <4425761D.4020300@lerdorf.com>
Date: Sat, 25 Mar 2006 08:55:57 -0800
User-Agent: Thunderbird 3.0a1 (Macintosh/20060320)
MIME-Version: 1.0
To: Ilia Alshanetsky <ilia@prohost.org>
CC: Sara Golemon <pollita@php.net>, internals@lists.php.net
References: <000a01c64fbc$cef29c50$88051fac@OHRLVN4523SG> <44257520.6070304@prohost.org>
In-Reply-To: <44257520.6070304@prohost.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] open_basedir_for_include
From: rasmus@lerdorf.com (Rasmus Lerdorf)

But it does prevent writing to those dirs.

Ilia Alshanetsky wrote:
> Why not just add the dirs you intend to include from to open_basedir 
> directly? It does not prevent arbitrary files from being loaded anyway 
> from those dirs. A simple ob_start() include "file"; ob_get_clean() will 
> happily give you the data. And if you wanted to see the source code, 
> highlight_file() could be used.
> 
> Ilia
> 
> Sara Golemon wrote:
>> The PDM recommendation covering the removal of safe_mode included a 
>> note on expanding the role of open_basedir.  To that end, I'd like to 
>> propose introducing a new ini option: open_basedir_for_include which 
>> would allow using include/require(_once) on an expanded set of 
>> directories than what open_basedir would otherwise allow.
>>
>> Since php_fopen_wrapper_for_zend() specifies STREAM_OPEN_FOR_INCLUDE, 
>> we can catch this option in the plain_files wrapper and expand the 
>> open_basedir check to allow specifying the alternate INI option (when 
>> set of course). Obviously if this new option were left unset and the 
>> regular open_basedir were set, we'd still use that for full BC.
>>
>> If noone objects I'll add this functionality in between unicode 
>> related patches in a week or so.
>>
>> -Sara
>