On Fri, 10 May 2019 22:55:51 +0200 / Niklas Keller <m...@kelunik.com> said :
> That's exactly the reason why I'm for removing it. There will always > be ways to circumvent open_basedir and setups like this are insecure. > It gives a false sense of security. It's not better than nothing, > because most hosting providers would opt for a real solution instead > of leaving users entirely unprotected. What's your solution then? I'll be more than happy to have anything better that will work with thousands of users :) Also I don't get the argument that because it isn't perfect it would not be useful. It definitely is, as a security measure. chroot isn't perfect either, but you might want to use it as well. Same for disable_functions, sure there will be ways to go around it, but it will still block 90% of attacks we might get. So, definitely not the most reliable thing, but it adds a layer that may help. I can pick the lock on my front door in about 10 minutes, a professional probably much less. And you can enter by breaking a window. But it is still effective as a security measure. And it would be silly if someone would come and tell me that the lock should be removed because it gives a false sense of security :) -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
