Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:30012 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7857 invoked by uid 1010); 31 May 2007 20:54:45 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 7841 invoked from network); 31 May 2007 20:54:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 May 2007 20:54:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:4311] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 75/E3-17260-2163F564 for ; Thu, 31 May 2007 16:54:43 -0400 Received: (qmail 34626 invoked by uid 98); 31 May 2007 20:54:43 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-2.01 (clamdscan: 0.88.7/3335. Clear:RC:1(127.0.0.1):. Processed in 1.733096 secs); 31 May 2007 20:54:43 -0000 Received: from localhost (HELO l-i-e.com) (127.0.0.1) by localhost with SMTP; 31 May 2007 20:54:40 -0000 Received: from 216.230.84.67 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Thu, 31 May 2007 15:54:40 -0500 (CDT) Message-ID: <39584.216.230.84.67.1180644880.squirrel@www.l-i-e.com> In-Reply-To: <465F31C8.8030208@rowe-clan.net> References: <465F31C8.8030208@rowe-clan.net> Date: Thu, 31 May 2007 15:54:40 -0500 (CDT) To: "William A. Rowe, Jr." Cc: "internals@lists.php.net" Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] Toggling enable_dl API off for runtime? From: ceo@l-i-e.com ("Richard Lynch") On Thu, May 31, 2007 3:36 pm, William A. Rowe, Jr. wrote: > In httpd server (and most) there is a startup phase, when we generally > trust what the admin has done, and a runtime phase. There are obvious > exploits if untrusted scripts can run arbitrary dlload's after > startup. Call me silly, but if you've got untrusted scripts running, dl or no dl, you are in a boat-load of trouble... > enable_dl in php.ini will obviously override this, but to start up and > load dynamic extensions, it's initially required to be on. > > Is there any sense in having php4apache2 (and other SAPI's) permitted > to run the entire startup phase of php prior to turning enable_dl back > off for the runtime phase of the server? I still haven't figured out why dl() needs to go away at all, frankly. Why not default if off and add yet another php.ini flag, or add a special php.ini flag which does the exact same thing as putting dl on the list of banned functions. I'm not seeing the big win of killing dl... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?