Stanislav Malyshev schrieb: >> I am fully aware that it can be made faster. But a slow solution is >> better than no solution at all. > > Actually in many situations it isn't. Since as far as I can see the > problem can lead to real harm only in rather limited set of > situations, making the engine always considerably slower just to fix > it does not seem a very good solution to me. Well yes. I think to solve this "once and for all" a public statement by the PHP group would be nice that says:
We think that local vulnerabilities that allow people who managed to execute PHP code on the server through a PHP script vulnerability or those on shared hosting to launch further attacks, like stealing data from apache memory or takeover the webserver socket (when mod_php is used) or to launch direct kernel exploits (which would not be possible if PHP would be secure), or a bunch of other attacks that are not possible from PHP code, are not important. We therefore won't fix them. This statement would be honest and would be a good warning sign for people to choose another language. Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
