Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:74966
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 72683 invoked from network); 18 Jun 2014 03:57:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Jun 2014 03:57:13 -0000
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.216.41 as permitted sender)
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 209.85.216.41 mail-qa0-f41.google.com  
Received: from [209.85.216.41] ([209.85.216.41:32816] helo=mail-qa0-f41.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EE/70-01877-71E01A35 for <internals@lists.php.net>; Tue, 17 Jun 2014 23:57:12 -0400
Received: by mail-qa0-f41.google.com with SMTP id cm18so236533qab.28
        for <internals@lists.php.net>; Tue, 17 Jun 2014 20:57:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        bh=aVNKSUgqJF2FvcaTyDpsPlJA1XRHT8lN52wRpJoGj/o=;
        b=ebgPSbfgKCnh/kwdd6WXXFDZCOUzSeJ0Cb69YFwVwtCAAEmhMyAG3xWN58NPiOD/xp
         XsSbvB7QSS+ssb8dKH6NZl3fa4pVFiuoNOdGn1RBvlkL/3SH8NZ4U1h+Tg03TUdA/f6l
         qnq+DtJHXrX3hJ9CCgLp1Vqq1lOICiyezyEaG0zt3JbakkfKM/Pq2UiW7s+gVPsdbHCh
         G1CluhfgigU32ijmkUomB6mjldN607DSYXuUf86UW/kih0u/REz61J6aty6R/FbR+28q
         JgrOEgQhRz98mxpqipcw0qo6/lL1NcJPNcMa4aqqjkggN8NuMxlry0mZUQJjWbE7l9Jz
         sx7g==
MIME-Version: 1.0
X-Received: by 10.140.49.76 with SMTP id p70mr39021507qga.86.1403063829200;
 Tue, 17 Jun 2014 20:57:09 -0700 (PDT)
Received: by 10.140.37.115 with HTTP; Tue, 17 Jun 2014 20:57:09 -0700 (PDT)
In-Reply-To: <53A10C5B.1000003@lerdorf.com>
References: <CAEZPtU7rc+JpguO=Ke8UmiLLaidvyJEQ81C9Lsvn8yHgkp=+qw@mail.gmail.com>
	<53A10C5B.1000003@lerdorf.com>
Date: Wed, 18 Jun 2014 05:57:09 +0200
Message-ID: <CAEZPtU7=rKAuucx61NUqteoD4z-w6RK0dLQKKK=RRjVnxkViug@mail.gmail.com>
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: PHP internals <internals@lists.php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [PHP-DEV] PHP6, drop open_basedir?
From: pierre.php@gmail.com (Pierre Joye)

On Wed, Jun 18, 2014 at 5:49 AM, Rasmus Lerdorf <rasmus@lerdorf.com> wrote:

> I think you have a very narrow view of how this feature is used.
> Security and code quality is about layers. This is a useful layer that
> helps verify that an application, or even a subset of an application, is
> only able to access a given set of directories. If something tries to
> access a file outside of the defined scope, we get an error and we know
> there is a bug in the code. I, and many companies out there, rely quite
> heavily on this feature to catch mistakes. And yes, there are ways of
> getting around it at the PHP-level if you deliberately craft your PHP
> code to do so, but that doesn't make the feature any less useful to all
> the people using it to catch non-deliberate mistakes.

It gives a false sense of safety, and that alone for me is a good
enough reason to remove it. it is not as bad as safe_mode but simply
not good.

That being said I have no issue with keeping it besides the lost
opportunity to get rid of an old bad decision.

Cheers,
-- 
Pierre

@pierrejoye | http://www.libgd.org