Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:30007
Return-Path: <wrowe@rowe-clan.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 98338 invoked by uid 1010); 31 May 2007 20:36:30 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 98323 invoked from network); 31 May 2007 20:36:30 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 May 2007 20:36:30 -0000
Authentication-Results: pb1.pair.com header.from=wrowe@rowe-clan.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=wrowe@rowe-clan.net; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain rowe-clan.net from 64.202.165.12 cause and error)
X-PHP-List-Original-Sender: wrowe@rowe-clan.net
X-Host-Fingerprint: 64.202.165.12 smtpout08-04.prod.mesa1.secureserver.net Linux 2.4/2.6
Received: from [64.202.165.12] ([64.202.165.12:37516] helo=smtpout08.prod.mesa1.secureserver.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 3D/72-17260-CC13F564 for <internals@lists.php.net>; Thu, 31 May 2007 16:36:30 -0400
Received: (qmail 19186 invoked from network); 31 May 2007 20:36:26 -0000
Received: from unknown (24.15.193.17)
  by smtpout08-04.prod.mesa1.secureserver.net (64.202.165.12) with ESMTP; 31 May 2007 20:36:25 -0000
Message-ID: <465F31C8.8030208@rowe-clan.net>
Date: Thu, 31 May 2007 15:36:24 -0500
User-Agent: Thunderbird 1.5.0.10 (X11/20070302)
MIME-Version: 1.0
To: "internals@lists.php.net" <internals@lists.php.net>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Subject: Toggling enable_dl API off for runtime?
From: wrowe@rowe-clan.net ("William A. Rowe, Jr.")

In httpd server (and most) there is a startup phase, when we generally
trust what the admin has done, and a runtime phase.  There are obvious
exploits if untrusted scripts can run arbitrary dlload's after startup.

enable_dl in php.ini will obviously override this, but to start up and
load dynamic extensions, it's initially required to be on.

Is there any sense in having php4apache2 (and other SAPI's) permitted
to run the entire startup phase of php prior to turning enable_dl back
off for the runtime phase of the server?