Rasmus Lerdorf wrote: > William A. Rowe, Jr. wrote: >> An example php.ini file that is significantly immune to these side effects >> would seem to be a good idea. Either that, or a "DON'T COHOST UNTRUSTED >> SCRIPTS" disclaimer :) > > Disabling dl() is a rather well-known ISP configuration. And it isn't > allowed at all in any threaded sapis, so that part isn't an issue. I > guess you are asking us to provide an example .ini file for hosting > companies. The sticky point here is that I think most of us would > suggest using a fastcgi or a completely vm'ed setup for any sort of > secure hosting. And in both those cases dl() wouldn't actually be a > problem.
I concur w.r.t. cgi, that's the gist of the response to bugtraq I'm drafting. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
