On Thu, May 31, 2007 3:36 pm, William A. Rowe, Jr. wrote: > In httpd server (and most) there is a startup phase, when we generally > trust what the admin has done, and a runtime phase. There are obvious > exploits if untrusted scripts can run arbitrary dlload's after > startup.
Call me silly, but if you've got untrusted scripts running, dl or no dl, you are in a boat-load of trouble... > enable_dl in php.ini will obviously override this, but to start up and > load dynamic extensions, it's initially required to be on. > > Is there any sense in having php4apache2 (and other SAPI's) permitted > to run the entire startup phase of php prior to turning enable_dl back > off for the runtime phase of the server? I still haven't figured out why dl() needs to go away at all, frankly. Why not default if off and add yet another php.ini flag, or add a special php.ini flag which does the exact same thing as putting dl on the list of banned functions. I'm not seeing the big win of killing dl... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
