Peter Brodersen wrote:
> Well, safe_mode could prevent someone of doing a
> shell_exec("cat /home/otheruser/web/config.php");
> open_basedir can't do the same thing.
>
> Even if open_basedir could restrict the location of the called
> executable people could still upload a binary to their own directory.
Sorry for jumping in without reading the whole mammooth thread: Why not unbundle
safe_mode_exec_dir from safe_mode and keep it? That way, the obvious stuff gets
fixed (although you can still shoot yourself in the foot with stuff like convert
or whatever $CMS_OF_THE_DAY might require to run smoothly).
Is that feasible?
Regards,
--ck
--
http://www.de-punkt.de [ [EMAIL PROTECTED] ] http://www.stormix.de
PHP-Anwendungen sind gefährdet! SQL-Injection, XSS, Session-Angriffe,
CSRF, Commandshells, Response Splitting,... böhmische Dörfer? Dann gleich
"PHP-Sicherheit" direkt beim Verlag vorbestellen! http://www.php-sicherheit.de/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
