On Tue, 7 May 2019 at 11:38, Zeev Suraski <z...@php.net> wrote: > - especially here, where folks who rely on it for (even some level of) > security would have a lot of work on their hands to come up with a > different solution for isolation. >
This point is worth dwelling on I think: if someone is using this feature as part of their security right now, is it better than nothing? I don't think it's sensible to assume that everyone seeing the deprecation notice will immediately put into place a security review of their hosting, so we should consider which of the following will lead to the best security outcome: a) open_basedir remains available, and people keep using it b) open_basedir is removed in PHP 8, and people upgrade without reviewing the rest of their security c) open_basedir is removed in PHP 8, and people stay on PHP 7.4 instead of upgrading If scenario (a) gives even a slight security advantage over scenario (b), we should think very carefully before removing the feature. Regards, -- Rowan Collins [IMSoP]
