Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:62041
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3483 invoked from network); 4 Aug 2012 20:19:34 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Aug 2012 20:19:34 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.42 as permitted sender)
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.160.42 mail-pb0-f42.google.com  
Received: from [209.85.160.42] ([209.85.160.42:59727] helo=mail-pb0-f42.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 66/83-19861-4D38D105 for <internals@lists.php.net>; Sat, 04 Aug 2012 16:19:33 -0400
Received: by pbbrp12 with SMTP id rp12so3553496pbb.29
        for <internals@lists.php.net>; Sat, 04 Aug 2012 13:19:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=ztBMtExX1bgBs1pDcs03KVg6KXb05XrcTNuAvLLv2Vs=;
        b=S1KQcz3qXlNQ1OmgRn85kOZOeY/3mPwavtFjGqb8lkIDZC8WzmdMe6m6qYcHU0iYXq
         P2+UbbkIb6tZCCdC9i1pTktykwtXwV9ll2Hto0d1UzDrQMr2/W0F+RUZn9kCxEBqhXYj
         P9IwUYiRG8cqsDBpIHx553K0JPU5TGCZ3LWm0fm2rBuc/qguTKPDurnXPT36qXLn3BLP
         Mskl+ttUlUC+OtUz9I8Ta914jj86zI5DSihka0YcHAU340dJ8DYoyI96mRgNgjiamU5g
         q/+zl0niIU0epS4JRmnWrQAeWXpElFaJGWF0bv1p9F05wz2pjy9FM5gubHwhX7EYcPvn
         oIAQ==
MIME-Version: 1.0
Received: by 10.66.81.232 with SMTP id d8mr7503325pay.66.1344111570097; Sat,
 04 Aug 2012 13:19:30 -0700 (PDT)
Received: by 10.68.28.41 with HTTP; Sat, 4 Aug 2012 13:19:30 -0700 (PDT)
In-Reply-To: <501D8091.4070609@ajf.me>
References: <CANVTSm4pseLgp5RnD0Uh5aSvu3Zox6wwu65jDjikTeBXFyySDw@mail.gmail.com>
	<CAF+90c97op9xjozgbcqhkDMDB3NxtiWJ0Ge3w9mW1yro+EEMSQ@mail.gmail.com>
	<501D8091.4070609@ajf.me>
Date: Sat, 4 Aug 2012 22:19:30 +0200
Message-ID: <CAH-PCH5EO1atXceWD5OXb0gnSoxZKKqSqLZMrm8EufJ=DvX5jw@mail.gmail.com>
To: Andrew Faulds <ajf@ajf.me>
Cc: Nikita Popov <nikita.ppv@gmail.com>, Yahav Gindi Bar <g.b.yahav@gmail.com>, 
	PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=f46d042f972cac970704c6765c9e
Subject: Re: [PHP-DEV] Integrate PECL into PHP
From: tyra3l@gmail.com (Ferenc Kovacs)

--f46d042f972cac970704c6765c9e
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On Sat, Aug 4, 2012 at 10:05 PM, Andrew Faulds <ajf@ajf.me> wrote:

> On 04/08/12 21:03, Nikita Popov wrote:
>
>> On Sat, Aug 4, 2012 at 9:57 PM, Yahav Gindi Bar <g.b.yahav@gmail.com>
>> wrote:
>>
>>> We had dl() until it was deprecated, and even when we got it I guess th=
at
>>> administrators disabled the dl() method because of security reasons.
>>> However, PECL got limited extensions which, as long as I know, does not
>>> put
>>> the server into security risks (maybe I've said something VERY STUPID
>>> right
>>> now, so excuse me...)
>>>
>> PECL extensions are C code. "C code" is programmer slang for "security
>> risk".
>>
>> I mean, seriously, extension code can be pretty much everything.
>> Allowing people to load extensions from userland would go beyond
>> fatal.
>>
>> Nikita
>>
>>  Aren't shared hosting servers pretty well secured, though? If each site
> is under a different userid, surely it can't do much damage?
>
>
from C code any and all php security measure like
open_basedir, allow_url_include, etc. could be bypassed.
of course the preferred way to secure your a multi-user environment is to
do that outside of php (jail/chroot/suexec etc.), but this would be still
an attack vector.
--=20
Ferenc Kov=C3=A1cs
@Tyr43l - http://tyrael.hu

--f46d042f972cac970704c6765c9e--