--- Tim Traver <[EMAIL PROTECTED]> wrote: > I believe that is the reason that the PHP group came up with the > open_basedir directive. > > The open_basedir prevents you from looking into anything higher > than a particular directory tree using PHP. > > So, a combination of safe_mode and open_basedir should prevent > your script from being able to walk the tree.
We know what these directives do. I think you're missing the point. How can a PHP directive offer any protection against someone writing a CGI that reads a file somewhere? Think about it. > I didn't think there was, and if there is, then we better post > that to the security guys at php, cause that's not good. We know that neither safe_mode nor open_basedir offer protection from this. We also know that it's impossible to solve this problem at the PHP level, because it is completely independent of PHP. > I think it should be pretty safe though if implemented correctly. If you do not offer CGI access or any interpreter besides PHP, then I suppose it's better than nothing, but I wouldn't characterize this as safe. I suspect that if I were a user on this host, I could give you a URL that displays another account's password within a few minutes. But, I'm just speculating. :-) Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming December 2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
