Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:49057
Return-Path: <johannes@schlueters.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 77797 invoked from network); 13 Jul 2010 13:38:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Jul 2010 13:38:34 -0000
Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.211.66 cause and error)
X-PHP-List-Original-Sender: johannes@schlueters.de
X-Host-Fingerprint: 217.114.211.66 unknown Solaris 10 (beta)
Received: from [217.114.211.66] ([217.114.211.66:33322] helo=config.schlueters.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id C6/83-58398-F4C6C3C4 for <internals@lists.php.net>; Tue, 13 Jul 2010 09:38:24 -0400
Received: from [192.168.1.28] (ppp-93-104-43-20.dynamic.mnet-online.de [93.104.43.20])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by config.schlueters.de (Postfix) with ESMTPSA id C92214499A;
	Tue, 13 Jul 2010 15:38:20 +0200 (CEST)
To: Vincenzo D'Amore <v.damore@gmail.com>
Cc: Pierre Joye <pierre.php@gmail.com>, internals@lists.php.net
In-Reply-To: <AANLkTikBp2v8wW7UGePx3sxkCZzh5PVC8HlspyadANFb@mail.gmail.com>
References: <AANLkTik3JJKNodbzAnYGQ8qpAinSiFTQEyHIsdxbISeI@mail.gmail.com>
	 <AANLkTik4tbBxzhlIBGJ036bHYl4o77V3IOg9dTDCZjXr@mail.gmail.com>
	 <AANLkTimjs_p-PTauBvJRTG5mdUaOyARTx0NLB3zpebII@mail.gmail.com>
	 <AANLkTikBp2v8wW7UGePx3sxkCZzh5PVC8HlspyadANFb@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Date: Tue, 13 Jul 2010 15:38:19 +0200
Message-ID: <1279028299.2918.111.camel@samnmax>
Mime-Version: 1.0
X-Mailer: Evolution 2.28.3 
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: Performance problem with php
From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

On Tue, 2010-07-13 at 15:11 +0200, Vincenzo D'Amore wrote:
> thank you for reading my posts, *could anybody help me to
> understand why realpath cache is disabled if safe_mode or open_basedir are
> set?*

For security reasons.

Assume the following (simplified) code:

<?php
symlink('./bar', 'foo');
access_bar_in_some_way_to_get_it_cached();
unlink('bar');
symlink('/', 'bar');
do_bad_things_with_bar();
?>

and suddenly you've bypassed the check as for do_bad_things_with_bar()
the cached value is used. Now I hear you say "then invalidate the cache
entries"  or something like that, but well, there are so many ways to
achieve such a result (including from outside PHP) that the check won't
be reliable in any way anymore.

That's the issue one has with security features on application level,
the operating system itself can implement it way more efficiently but
this doesn't (easily) work with a mod_php vhost config (solaris +
mod_privileges would be one way, probably linux + apparmor can do,
too ...)

johannes