Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58893
Return-Path: <ceo@l-i-e.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 41171 invoked from network); 12 Mar 2012 21:08:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Mar 2012 21:08:46 -0000
Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain l-i-e.com designates 67.139.134.202 as permitted sender)
X-PHP-List-Original-Sender: ceo@l-i-e.com
X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2)
Received: from [67.139.134.202] ([67.139.134.202:3559] helo=o2.hostbaby.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EA/85-13375-BD56E5F4 for <internals@lists.php.net>; Mon, 12 Mar 2012 16:08:44 -0500
Received: (qmail 20873 invoked by uid 98); 12 Mar 2012 21:08:44 -0000
Received: from localhost by o2.hostbaby.com (envelope-from <ceo@l-i-e.com>, uid 1013) with qmail-scanner-2.05 
 ( 
 Clear:RC:1(127.0.0.1):. 
 Processed in 0.043739 secs); 12 Mar 2012 21:08:44 -0000
Received: from localhost (HELO www.l-i-e.com) (127.0.0.1)
  by localhost with SMTP; 12 Mar 2012 21:08:44 -0000
Received: from webmail
        (SquirrelMail authenticated user ceo@l-i-e.com)
        by www.l-i-e.com with HTTP;
        Mon, 12 Mar 2012 16:08:44 -0500
Message-ID: <a1ab8b0666f876e53c051e2a5c2913ee.squirrel@www.l-i-e.com>
In-Reply-To: <4F55CB27.7070305@anderiasch.de>
References:
    <CAJzDObekVt_F6JZP-B-YCs0khvfcSDW1PNeC6Bf5LUk=xPqVAQ@mail.gmail.com>
    <4F55CB27.7070305@anderiasch.de>
Date: Mon, 12 Mar 2012 16:08:44 -0500
To: internals@lists.php.net
User-Agent: SquirrelMail/1.4.21 [SVN]
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Subject: Re: [PHP-DEV] Providing sandboxed versions of include and require 
 language constructs
From: ceo@l-i-e.com ("Richard Lynch")

On Tue, March 6, 2012 3:30 am, Florian Anderiasch wrote:

Security by blacklist almost always isn't security...

You're bound to miss one of the functions you should have blacklisted,
 but didn't.

Something like Drupal would be crippled by this because major
extensions used by all rely on access that would probably want to be
blocked.

So then they'd have to come up with a "blessed" list of extension to
not block, and then...

Nice idea, in the abstract, but I don't think it will work out to be
very useful in the Real World (tm).

-- 
brain cancer update:
http://richardlynch.blogspot.com/search/label/brain%20tumor
Donate:
https://www.paypal.com/cgi-bin/webscr?cmd=_s-xclick&hosted_button_id=FS9NLTNEEKWBE