Hello,
On 10/13/06, Tim Starling <[EMAIL PROTECTED]> wrote:
Sara Golemon wrote:
> The attached patch changes open_basedir from PHP_INI_SYSTEM to PHP_INI_ALL.
[...]
> The advantage of doing this is that package authors and/or users of shared
> hosting who may not have access to making their settings more restrictive
> can avoid most simple FS inspection attacks caused by buggy script code by
> adding a single ini_set(basedir(__FILE__)); to the top of their script or
> setting it with an .htaccess directive.
Great feature. I can see this being very useful to packaged PHP applications
like ours (MediaWiki). The only complication in implementation I can think
of is trying to work out the location of PEAR, for those modules that use
it. I suppose we would have to append the default include_path to the
runtime open_basedir, to make sure that PEAR is accessible.
There is no issue with PEAR or any applications using include_path and
relative paths in include/require. The system include_path, if any,
paths should already be in the open_basedir. If they are not, you
have to install the desired modules within your open_basedir, just
like now.
Sara, I did not check the patch (not readable here :P), but I like the idea.
--Pierre
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
