Rasmus Lerdorf wrote: > William A. Rowe, Jr. wrote: >> In httpd server (and most) there is a startup phase, when we generally >> trust what the admin has done, and a runtime phase. There are obvious >> exploits if untrusted scripts can run arbitrary dlload's after startup. >> >> enable_dl in php.ini will obviously override this, but to start up and >> load dynamic extensions, it's initially required to be on. >> >> Is there any sense in having php4apache2 (and other SAPI's) permitted >> to run the entire startup phase of php prior to turning enable_dl back >> off for the runtime phase of the server? > > enable_dl only affects the userspace dl() function. That can only be > called at the runtime phase, as you call it. So what you are proposing > doesn't make much sense.
Thank you for clarifying, Rasmus. Since userspace dl() can pollute future requests on the same prefork worker, or pollute other workers running on the threaded/worker style MPM, is there any thought to disabling this by default in at least one of the flavors of proposed php.ini solutions that are provided with the distribution? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
