Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:43074
Return-Path: <johannes@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 75991 invoked from network); 17 Feb 2009 15:34:30 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Feb 2009 15:34:30 -0000
Authentication-Results: pb1.pair.com header.from=johannes@php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=johannes@php.net; spf=unknown; sender-id=unknown
Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 83.243.58.134 as permitted sender)
X-PHP-List-Original-Sender: johannes@php.net
X-Host-Fingerprint: 83.243.58.134 mailout2.netbeat.de Linux 2.6
Received: from [83.243.58.134] ([83.243.58.134:59565] helo=mailout2.netbeat.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 7B/A7-36931-409DA994 for <internals@lists.php.net>; Tue, 17 Feb 2009 10:34:29 -0500
Received: (qmail 11965 invoked by uid 89); 17 Feb 2009 15:55:05 -0000
Received: from unknown (HELO ?192.168.1.103?) (johannes%schlueters.de@93.104.35.87)
  by mailout2.netbeat.de with ESMTPA; 17 Feb 2009 15:55:05 -0000
To: sean finney <seanius@seanius.net>
Cc: Eric Stewart <ericleestewart@gmail.com>, internals@lists.php.net
In-Reply-To: <20090217091202.GA3224@rangda.stickybit.se>
References: <ce6b011c0902162302x477b5001i96ee667201cc103a@mail.gmail.com>
	 <20090217091202.GA3224@rangda.stickybit.se>
Content-Type: text/plain
Date: Tue, 17 Feb 2009 16:34:24 +0100
Message-ID: <1234884864.17605.13.camel@goldfinger>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.3 
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] New INIs, Round Two.
From: johannes@php.net (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

On Tue, 2009-02-17 at 10:12 +0100, sean finney wrote:
> hi,
> 
> On Tue, Feb 17, 2009 at 02:02:35AM -0500, Eric Stewart wrote:
> > 14. A few other directives have been question but I don't have enough
> > experience with these particular settings so please weight in on them.
> > 
> > extension_dir = "./"
[...]
> - if you have extension_dir = "./", then even open_basedir and similar
>   built-in restrictions about the path of dl()'d .so extensions are no 
>   longer in effect, and the floodgates are opened for various types of 
>   external attacks.

extension_dir should be the compiled-in by default, at least on *nix. On
windows maybe the installer can set it. So the value should be commented
out.

On *nix the reason is that the compiled in default (for example
$prefix/lib/php/extensions/no-debug-non-zts-20090115) is used when
compiling extensions using the phpize-way or pear installer so only with
that value it will work out of the box.

johannes