> With safemode on they can't do this symlink trick directly from > php because PHP's symlink() safemode checks source and target paths. > Good call...
> The > only case that trips us up is the one where a user has direct access to > create whatever symlinks he wants in his own directory and then by hitting > that symlink through the web server he is effectively reading any file the > web server user id has permission to read and thereby bypassing safemode. > I wouldn't consider it uncommon for shared hosting users to have a shell account.... > But like my syscall patches, realpath caching isn't something all that > many really need. Turning it off when safemode/open_basedir is on should > be fine. > I can agree with that. Even though the caching would be a real "nice-to-have". It's much cleaner to just disable it in cases where it'll cause more harm than good. I *do* want to point out that the current form of the patch won't build under ZTS though. virtual_file_ex has no TSRMLS_DC in its declaration but it makes use of CWDG(). -Sara -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
