Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:43070 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 59824 invoked from network); 17 Feb 2009 09:12:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Feb 2009 09:12:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=sean@seanius.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=seanius@seanius.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain seanius.net from 66.93.22.232 cause and error) X-PHP-List-Original-Sender: sean@seanius.net X-Host-Fingerprint: 66.93.22.232 cobija.connexer.com Received: from [66.93.22.232] ([66.93.22.232:59206] helo=cobija.connexer.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 56/99-33190-76F7A994 for ; Tue, 17 Feb 2009 04:12:08 -0500 Received: from rangda.stickybit.se (unknown [85.24.152.193]) by cobija.connexer.com (Postfix) with ESMTP id 1EDA417C316; Tue, 17 Feb 2009 04:12:05 -0500 (EST) Received: by rangda.stickybit.se (Postfix, from userid 1000) id A7B3FFF25; Tue, 17 Feb 2009 10:12:02 +0100 (CET) Date: Tue, 17 Feb 2009 10:12:02 +0100 To: Eric Stewart Cc: internals@lists.php.net Message-ID: <20090217091202.GA3224@rangda.stickybit.se> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.18 (2008-05-17) Subject: Re: [PHP-DEV] New INIs, Round Two. From: seanius@seanius.net (sean finney) --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable hi, On Tue, Feb 17, 2009 at 02:02:35AM -0500, Eric Stewart wrote: > 14. A few other directives have been question but I don't have enough > experience with these particular settings so please weight in on them. >=20 > extension_dir =3D "./" > enable_dl =3D On i'd be incredibly weary of this setting, even in a development environment. - if you have enable_dl on, a user can load an arbitrary .so into php's (an= d=20 thus most often apache's) memory space. - if you have extension_dir =3D "./", then even open_basedir and similar built-in restrictions about the path of dl()'d .so extensions are no=20 longer in effect, and the floodgates are opened for various types of=20 external attacks. the biggest reason that this is problematic is that in the case of apache, you have raw access to all of apache's memory, including ssl keys, stored passwords, etc, which typically a php script will not have. sean --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFJmn9iynjLPm522B0RAi1CAJwP+OcRONWRmw6Pv/ZpgpiD7ZFxQwCghID1 NnTzNixWIBXL1a0rEWMVnHk= =dW5g -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7--