From:             cjbj at hotmail dot com
Operating system: n/a
PHP version:      Irrelevant
PHP Bug Type:     Documentation problem
Bug description:  Suggestions for improving security note documentation

Description:
------------
The phrasing in http://www.php.net/security-note.php has caused
confusion in at least one database administrator's mind about the
safeness of PHP.  See
  http://forums.oracle.com/forums/thread.jspa?threadID=340485
for one report of confusion.

Can the fourth paragraph of the security note be modied to read

    For Local exploits we mostly hear about open_basedir or
    safemode problems on shared virtual hosts.  These two
    features are there as a convenience to system administrators
    and should in no way be thought of as a complete security
    framework.  With all the 3rd-party libraries you can hook
    into PHP and all the creative ways you can trick these
    libraries into accessing files, it is impossible to guarantee
    security with these directives.  The CURL extension is a
    library that allows local file system access despite the
    value of open_basedir.  Another example is that Oracle
    Database can be configured to allow local files to be loaded
    into the database.  Access control is handled by Oracle and
    is not under control of PHP.



-- 
Edit bug report at http://bugs.php.net/?id=35308&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=35308&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=35308&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=35308&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=35308&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=35308&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=35308&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=35308&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=35308&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=35308&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=35308&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=35308&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=35308&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=35308&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=35308&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=35308&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=35308&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=35308&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=35308&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=35308&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=35308&r=mysqlcfg

Reply via email to