no.... curl does not need to respect php's safemode, adding such checks at this level is wrong. people who compile curl, can do so without local file access, and this will solve their problem.
What about people who use precompiled packages like the Debian packages? They don't have a "special" Curl for PHP. The curl debian package will never "disable" file-support just because it breaks a feature of PHP. So Debian users can't use safemode then if they need the curl extension and if they don't want (or don't know how) to compile the stuff.
And what about PHP installations on Windows (if there is a safe-mode and a curl extension, don't know). Especially Windows Users are not used to "compile" PHP. They are just downloading and installing DLLs.
In my opinion it would make sense to check the file://-URL inside the PHP extension before it goes to the curl library if safe mode is enabled. There must already be a check for this for PHP's fopen function, maybe this check can be re-used for this?
Safe-mode is a feature of PHP so PHP should make sure that this feature is working with all functions included in PHP if it's possible to secure the function (otherwise the user must disable it). And there is already a patch to do it, so it seems to be possible to secure the curl functions.
-- Bye, K <http://www.ailis.de/~k/> (FidoNet: 2:240/2188.18) [A735 47EC D87B 1F15 C1E9 53D3 AA03 6173 A723 E391] (Finger [EMAIL PROTECTED] to get public key)
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
