Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:30017 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 30932 invoked by uid 1010); 31 May 2007 21:35:21 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 30916 invoked from network); 31 May 2007 21:35:21 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 May 2007 21:35:21 -0000 Authentication-Results: pb1.pair.com header.from=wrowe@rowe-clan.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=wrowe@rowe-clan.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain rowe-clan.net from 64.202.165.95 cause and error) X-PHP-List-Original-Sender: wrowe@rowe-clan.net X-Host-Fingerprint: 64.202.165.95 smtpauth04.prod.mesa1.secureserver.net Linux 2.4/2.6 Received: from [64.202.165.95] ([64.202.165.95:46876] helo=smtpauth04.prod.mesa1.secureserver.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3F/67-17260-89F3F564 for ; Thu, 31 May 2007 17:35:21 -0400 Received: (qmail 23973 invoked from network); 31 May 2007 21:35:16 -0000 Received: from unknown (24.15.193.17) by smtpauth04.prod.mesa1.secureserver.net (64.202.165.95) with ESMTP; 31 May 2007 21:35:16 -0000 Message-ID: <465F3F93.8060000@rowe-clan.net> Date: Thu, 31 May 2007 16:35:15 -0500 User-Agent: Thunderbird 1.5.0.10 (X11/20070302) MIME-Version: 1.0 To: Rasmus Lerdorf CC: "internals@lists.php.net" References: <465F31C8.8030208@rowe-clan.net> <39584.216.230.84.67.1180644880.squirrel@www.l-i-e.com> <465F3A9C.6000300@rowe-clan.net> <465F3C39.4090708@lerdorf.com> In-Reply-To: <465F3C39.4090708@lerdorf.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Toggling enable_dl API off for runtime? From: wrowe@rowe-clan.net ("William A. Rowe, Jr.") Rasmus Lerdorf wrote: > William A. Rowe, Jr. wrote: >> An example php.ini file that is significantly immune to these side effects >> would seem to be a good idea. Either that, or a "DON'T COHOST UNTRUSTED >> SCRIPTS" disclaimer :) > > Disabling dl() is a rather well-known ISP configuration. And it isn't > allowed at all in any threaded sapis, so that part isn't an issue. I > guess you are asking us to provide an example .ini file for hosting > companies. The sticky point here is that I think most of us would > suggest using a fastcgi or a completely vm'ed setup for any sort of > secure hosting. And in both those cases dl() wouldn't actually be a > problem. I concur w.r.t. cgi, that's the gist of the response to bugtraq I'm drafting.