Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:86244
Return-Path: <johannes@schlueters.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 9970 invoked from network); 16 May 2015 14:32:32 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 16 May 2015 14:32:32 -0000
Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.215.10 cause and error)
X-PHP-List-Original-Sender: johannes@schlueters.de
X-Host-Fingerprint: 217.114.215.10 mail.experimentalworks.net  
Received: from [217.114.215.10] ([217.114.215.10:36439] helo=mail.experimentalworks.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id FB/E1-14891-DF457555 for <internals@lists.php.net>; Sat, 16 May 2015 10:32:30 -0400
Received: by mail.experimentalworks.net (Postfix, from userid 1003)
	id 2D9534AF6D; Sat, 16 May 2015 16:33:11 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	km31408.keymachine.de
X-Spam-Level: *
X-Spam-Status: No, score=1.4 required=4.0 tests=ALL_TRUSTED,
	DNS_FROM_AHBL_RHSBL autolearn=no version=3.3.2
X-Spam-HAM-Report: 
	*  2.4 DNS_FROM_AHBL_RHSBL RBL: Envelope sender listed in dnsbl.ahbl.org
	* -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP
Received: from [192.168.2.34] (ppp-93-104-13-228.dynamic.mnet-online.de [93.104.13.228])
	(using TLSv1.2 with cipher DHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	(Authenticated sender: johannes@schlueters.de)
	by mail.experimentalworks.net (Postfix) with ESMTPSA id 5E0E34AF68;
	Sat, 16 May 2015 16:33:08 +0200 (CEST)
Message-ID: <1431786740.18913.0.camel@kuechenschabe>
To: Patrick Schaaf <php@bof.de>
Cc: francois@php.net, Yasuo Ohgaki <yohgaki@ohgaki.net>, internals
	 <internals@lists.php.net>
Date: Sat, 16 May 2015 16:32:20 +0200
In-Reply-To: <CAJ26g5RqqbDsCvpPwG6aC88FEkRq7QAzStgk69d8h9HUDJryGw@mail.gmail.com>
References: 
	<CAGa2bXYQuC8mfUxwSTS4rQ2M5afkogLBAjz0tJwRChhTNN21Gw@mail.gmail.com>
	 <001101d08fd8$cf5beb40$6e13c1c0$@php.net>
	 <CAJ26g5RqqbDsCvpPwG6aC88FEkRq7QAzStgk69d8h9HUDJryGw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.10.4-0ubuntu2 
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Preload scripts and preloaded scripts only options
From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

On Sat, 2015-05-16 at 15:32 +0200, Patrick Schaaf wrote:
> None of this whitelisting-by-filename would be practical for our setup.
> Have a look at what Smarty does with compiled templates and cached pages:
> PHP includes generated on the fly, with filenames that are not known in
> advance. For such usage a whitelisting per realpath prefix, would be the
> only reasonable approach.

That whitelist is called open_basedir.
http://php.net/manual/en/ini.core.php#ini.open-basedir

johannes