Pierre wrote:
There is no issue with PEAR or any applications using include_path and
relative paths in include/require. The system include_path, if any,
paths should already be in the open_basedir. If they are not, you
have to install the desired modules within your open_basedir, just
like now.
The application I'm interested in is where there is no system open_basedir,
and the application wishes to lock down the environment. So we could do:
ini_set('open_basedir', ini_get('include_path') . PATH_SEPARATOR .
dirname(__FILE__));
But that still allows the application to access every path that the system
administrator has, at a whim, included in include_path. It's not maximally
restrictive, really we only need dirname(__FILE__) and wherever PEAR is.
We could do:
$pear = trim(`pear config-get php_dir`);
ini_set('open_basedir', $pear . PATH_SEPARATOR . dirname(__FILE__);
But of course, that's not very portable. What I'm hinting at is that it
might be kind of nice if PHP knew where PEAR was, and provided it say via
$_SERVER. It might save a bit of mucking around.
System administrators are usually pretty clueless about PHP compared to
application developers. It's up to the application to make sense of whatever
insecure, inconsistent mess the sysadmin has left the system in, and to run
in that environment as securely as possible. That's why I welcome a feature
such as this.
Now if there was just some way for the application to control
magic_quotes_gpc and register_globals, I'd be a happy man.
-- Tim Starling
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
