Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:62038 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 99063 invoked from network); 4 Aug 2012 20:06:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Aug 2012 20:06:05 -0000 Authentication-Results: pb1.pair.com header.from=ajf@ajf.me; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=ajf@ajf.me; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ajf.me designates 64.22.89.133 as permitted sender) X-PHP-List-Original-Sender: ajf@ajf.me X-Host-Fingerprint: 64.22.89.133 oxmail.registrar-servers.com Linux 2.6 Received: from [64.22.89.133] ([64.22.89.133:55890] helo=oxmail.registrar-servers.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CC/82-19861-DA08D105 for ; Sat, 04 Aug 2012 16:06:05 -0400 Received: from [192.168.0.200] (5ad4bfa0.bb.sky.com [90.212.191.160]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by oxmail.registrar-servers.com (Postfix) with ESMTPSA id D057BC30002; Sat, 4 Aug 2012 16:06:01 -0400 (EDT) Message-ID: <501D8091.4070609@ajf.me> Date: Sat, 04 Aug 2012 21:05:37 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: Nikita Popov CC: Yahav Gindi Bar , PHP internals References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Integrate PECL into PHP From: ajf@ajf.me (Andrew Faulds) On 04/08/12 21:03, Nikita Popov wrote: > On Sat, Aug 4, 2012 at 9:57 PM, Yahav Gindi Bar wrote: >> We had dl() until it was deprecated, and even when we got it I guess that >> administrators disabled the dl() method because of security reasons. >> However, PECL got limited extensions which, as long as I know, does not put >> the server into security risks (maybe I've said something VERY STUPID right >> now, so excuse me...) > PECL extensions are C code. "C code" is programmer slang for "security risk". > > I mean, seriously, extension code can be pretty much everything. > Allowing people to load extensions from userland would go beyond > fatal. > > Nikita > Aren't shared hosting servers pretty well secured, though? If each site is under a different userid, surely it can't do much damage? -- Andrew Faulds http://ajf.me/