> At 08:15 AM 2/5/2002, Rasmus Lerdorf wrote: > >The fact that 3rd party libs can load arbitrary files is not a new > >concept. Every time I give a moderately detailed PHP talk I mention the > >fact that there is a way to load a file through the oci8 libs. Of course > >it can be done through the mysql libs as well. This is not a new concept. > >All someone woulod have had to do to learn of this "vulnerability" would > >have been to go to any of the PHP talks I have given in the past 3 years. > > Which means that about a one out of every 10,000 PHP users are aware of it? :) > > Seriously though, it should probably be noted some prominent place that > safe mode isn't safe, at best, it's safer.
Sure, but it is one of those obvious things. Like allowing a user to shell out to some third-party app and us not being able to stop that app from doing whatever it wants to. It is sort of a given, but by all means, document this. -Rasmus -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
