Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:30009
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 1525 invoked by uid 1010); 31 May 2007 20:41:09 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 1510 invoked from network); 31 May 2007 20:41:09 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 31 May 2007 20:41:09 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com  
Received: from [204.11.219.139] ([204.11.219.139:57845] helo=mail.lerdorf.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 6C/F2-17260-3E23F564 for <internals@lists.php.net>; Thu, 31 May 2007 16:41:08 -0400
Received: from trainburn-lm.corp.yahoo.com (trainburn-lm.corp.yahoo.com [207.126.233.11])
	(authenticated bits=0)
	by mail.lerdorf.com (8.14.1/8.14.1/Debian-4) with ESMTP id l4VKf11E009696
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Thu, 31 May 2007 13:41:03 -0700
Message-ID: <465F32DC.1000702@lerdorf.com>
Date: Thu, 31 May 2007 13:41:00 -0700
User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326)
MIME-Version: 1.0
To: "William A. Rowe, Jr." <wrowe@rowe-clan.net>
CC: "internals@lists.php.net" <internals@lists.php.net>
References: <465F31C8.8030208@rowe-clan.net>
In-Reply-To: <465F31C8.8030208@rowe-clan.net>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV version 0.90.3, clamav-milter version 0.90.3 on colo.lerdorf.com
X-Virus-Status: Clean
Subject: Re: [PHP-DEV] Toggling enable_dl API off for runtime?
From: rasmus@lerdorf.com (Rasmus Lerdorf)

William A. Rowe, Jr. wrote:
> In httpd server (and most) there is a startup phase, when we generally
> trust what the admin has done, and a runtime phase.  There are obvious
> exploits if untrusted scripts can run arbitrary dlload's after startup.
> 
> enable_dl in php.ini will obviously override this, but to start up and
> load dynamic extensions, it's initially required to be on.
> 
> Is there any sense in having php4apache2 (and other SAPI's) permitted
> to run the entire startup phase of php prior to turning enable_dl back
> off for the runtime phase of the server?

enable_dl only affects the userspace dl() function.  That can only be
called at the runtime phase, as you call it.  So what you are proposing
doesn't make much sense.

-Rasmus