Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:58904
Return-Path: <adamjonr@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60525 invoked from network); 12 Mar 2012 22:25:27 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 12 Mar 2012 22:25:27 -0000
Authentication-Results: pb1.pair.com header.from=adamjonr@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=adamjonr@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.161.170 as permitted sender)
X-PHP-List-Original-Sender: adamjonr@gmail.com
X-Host-Fingerprint: 209.85.161.170 mail-gx0-f170.google.com  
Received: from [209.85.161.170] ([209.85.161.170:51230] helo=mail-gx0-f170.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 04/B9-13375-6D77E5F4 for <internals@lists.php.net>; Mon, 12 Mar 2012 17:25:26 -0500
Received: by ggmb2 with SMTP id b2so3536910ggm.29
        for <internals@lists.php.net>; Mon, 12 Mar 2012 15:25:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        bh=T+Os1cZMJKI45lP55btu1qVaHK8+3LjG0bs1wnHk1DM=;
        b=FVoH0iKPZUDRf1aN0k+FBEn/YKLu2ik/3r7Nl2s1FTwvQuZOy3HbhOizbxsEUnxa3z
         DhBKCjbpgfJF6RKKfsyg2/fz8Aa8y40PYV6mLKxMNmb3Gu1XDG/ZxP9b0RbeluKjPz4X
         reCspk/So5/IGlk5RaYKcYODROl1inneAFywAOw/mvjfXzjOOmEPaBU+CU0OCwTM3tdt
         KdV0wPe/3ck2DyEFhJe06lrWmSSYxe8zuLnQVUOHqVuVyL+BeuDPOgmygZ3h59iKJJLT
         S020gYWHbYbYQQvDZ3CHE43mODRwJ8EloRHxOVzSLOR0lh3jYFd9mxdf0TSpiSslt/Iv
         fQ3g==
MIME-Version: 1.0
Received: by 10.60.3.226 with SMTP id f2mr8709406oef.44.1331591123036; Mon, 12
 Mar 2012 15:25:23 -0700 (PDT)
Received: by 10.182.19.104 with HTTP; Mon, 12 Mar 2012 15:25:22 -0700 (PDT)
In-Reply-To: <a1ab8b0666f876e53c051e2a5c2913ee.squirrel@www.l-i-e.com>
References: <CAJzDObekVt_F6JZP-B-YCs0khvfcSDW1PNeC6Bf5LUk=xPqVAQ@mail.gmail.com>
	<4F55CB27.7070305@anderiasch.de>
	<a1ab8b0666f876e53c051e2a5c2913ee.squirrel@www.l-i-e.com>
Date: Mon, 12 Mar 2012 18:25:22 -0400
Message-ID: <CAJzDObdNod796+RSqoDFyN+tTKBzy8HFmX2ZV8qRkTRJfezYZw@mail.gmail.com>
To: internals@lists.php.net
Content-Type: multipart/alternative; boundary=e89a8ff252a8dfe85604bb1337c6
Subject: Re: [PHP-DEV] Providing sandboxed versions of include and require
 language constructs
From: adamjonr@gmail.com (Adam Jon Richardson)

--e89a8ff252a8dfe85604bb1337c6
Content-Type: text/plain; charset=ISO-8859-1

On Mon, Mar 12, 2012 at 5:08 PM, Richard Lynch <ceo@l-i-e.com> wrote:

> On Tue, March 6, 2012 3:30 am, Florian Anderiasch wrote:
>
> Security by blacklist almost always isn't security...
>
> You're bound to miss one of the functions you should have blacklisted,
>  but didn't.
>

Agreed. The approach I'm developing would be a whitelisting approach.


> Something like Drupal would be crippled by this because major
> extensions used by all rely on access that would probably want to be
> blocked.
>
> So then they'd have to come up with a "blessed" list of extension to
> not block, and then...
>

The idea would be to make it easy to add to the default whitelist per
include.

Nice idea, in the abstract, but I don't think it will work out to be
> very useful in the Real World (tm).


I'm working on documenting the ideas and refining the approach. I think it
will hold significant value, but a few years ago I also thought that WebOS
would become a major player in the mobile market :)

Adam

P.S. - Thankful to see that your recent update on your medical prognosis,
Richard.

--e89a8ff252a8dfe85604bb1337c6--