Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:8614
Return-Path: <boulat@funio.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 91239 invoked by uid 1010); 19 Mar 2004 18:18:48 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 91200 invoked from network); 19 Mar 2004 18:18:48 -0000
Received: from unknown (HELO mail.funio.com) (66.199.166.4)
  by pb1.pair.com with SMTP; 19 Mar 2004 18:18:48 -0000
Recieved: (qmail 21046 invoked by uid 0); 19 Mar 2004 18:18:00 -0000
Received: from unknown (HELO www.funio.com) (66.199.166.104)
  by 0 with SMTP; 19 Mar 2004 18:18:00 -0000
Received: from 66.158.132.127
        (SquirrelMail authenticated user boulat@funio.com)
        by www.funio.com with HTTP;
        Fri, 19 Mar 2004 13:23:23 -0500 (EST)
Message-ID: <60321.66.158.132.127.1079720603.squirrel@www.funio.com>
Date: Fri, 19 Mar 2004 13:23:23 -0500 (EST)
To: internals@lists.php.net
User-Agent: SquirrelMail/1.4.2
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Priority: 3
Importance: Normal
Subject: Re: [PHP-DEV] new security related directive for php-4.3.4
From: boulat@funio.com

> No new features are being accepted into the 4.3.X tree, only bug fixes.
> The patch itself seems to duplicate the open_basedir functionality anyway.
>
> Ilia

Its not really duplicating anyting in open_basedir. As a metter of fact it
is meant to be used together with open_basedir for best results.

ISP and people doin mass hosting would mainly benefit from that patch.

For example if I had all my domains hosted in /home then setting /home in
open_basedir will not let customers get out of /home,
but they would still be able to read each others documents.
php scripts in /home/domain1.com could still read files located in
/home/domain2.com , so in other words setting
open_basedir = /home
wont prevent users locate inside /home from snooping on each others data.

thats the main reason why I wrote that patch.

As for "No new features are being accepted into the 4.3.X tree" I can
create a patch for testing for any other php tree if needed.

Cheers,
Boulat.

>
> On March 19, 2004 12:48 pm, boulat@funio.com wrote:
>> Hi internals,
>>
>> I added "virtual_root_level" new security related directive
>> into php-4.3.4.
>>
>> Full description with the patch can be found in here
>>
>> http://www.boulat.net/projects/virtual_root_level/
>>
>> Some feedback/comments would be appreciated.
>>
>> Regards,
>> Boulat
>
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>








Delete & Prev |  Delete & Next
Move to: INBOX INBOX.Drafts INBOX.Sent INBOX.Trash INBOX.infected