Hi, On Sun, 26 Mar 2006 12:42:57 -0500, in php.internals [EMAIL PROTECTED] (Ilia Alshanetsky) wrote:
>If you don't trust your users to execute external commands, which is >perfectly valid concern, PHP provides you with a way (disable_functions) > INI setting to restrict the functionality. I have earlier tried to ask for some "best practice" (e.g. <[EMAIL PROTECTED]> ). Honestly I don't think requiring admins with untrusted users (all web host companies) to maintain their own lists would be practical. Would you be able to easily compile that list of functions that should be included in the disabled_functions setting? It wouldn't be enough to just look at the functions mentioned at http://php.net/exec - you might miss other functions such as popen(). Unless I have missed part of the documentation the best page to look at for compiling the list of "dangerous"/exec related functions is http://php.net/manual/en/features.safe-mode.functions.php . Maybe this is just a documentation issue, but I believe the ability of disabling all exec functions in one easy way is pretty important for a bunch of administrators out there. Furthermore, this behaviour would be vulnerable to new exec-functions requiring a lot of maintenance for end users. At least Rasmus mentioned that he would appreciate being reminded of this feature (of keeping an internal list of exec functions and still use safe_mode_exec_dir - possibly under a more describing name) -- - Peter Brodersen -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
