On Sat, Aug 4, 2012 at 10:05 PM, Andrew Faulds <a...@ajf.me> wrote:
> On 04/08/12 21:03, Nikita Popov wrote: > >> On Sat, Aug 4, 2012 at 9:57 PM, Yahav Gindi Bar <g.b.ya...@gmail.com> >> wrote: >> >>> We had dl() until it was deprecated, and even when we got it I guess that >>> administrators disabled the dl() method because of security reasons. >>> However, PECL got limited extensions which, as long as I know, does not >>> put >>> the server into security risks (maybe I've said something VERY STUPID >>> right >>> now, so excuse me...) >>> >> PECL extensions are C code. "C code" is programmer slang for "security >> risk". >> >> I mean, seriously, extension code can be pretty much everything. >> Allowing people to load extensions from userland would go beyond >> fatal. >> >> Nikita >> >> Aren't shared hosting servers pretty well secured, though? If each site > is under a different userid, surely it can't do much damage? > > from C code any and all php security measure like open_basedir, allow_url_include, etc. could be bypassed. of course the preferred way to secure your a multi-user environment is to do that outside of php (jail/chroot/suexec etc.), but this would be still an attack vector. -- Ferenc Kovács @Tyr43l - http://tyrael.hu
