On Tue, 2009-02-17 at 10:12 +0100, sean finney wrote: > hi, > > On Tue, Feb 17, 2009 at 02:02:35AM -0500, Eric Stewart wrote: > > 14. A few other directives have been question but I don't have enough > > experience with these particular settings so please weight in on them. > > > > extension_dir = "./" [...] > - if you have extension_dir = "./", then even open_basedir and similar > built-in restrictions about the path of dl()'d .so extensions are no > longer in effect, and the floodgates are opened for various types of > external attacks.
extension_dir should be the compiled-in by default, at least on *nix. On windows maybe the installer can set it. So the value should be commented out. On *nix the reason is that the compiled in default (for example $prefix/lib/php/extensions/no-debug-non-zts-20090115) is used when compiling extensions using the phpize-way or pear installer so only with that value it will work out of the box. johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
