Re: [PHP-DEV] New INIs, Round Two.
On 17.02.2009, at 08:02, Eric Stewart wrote: 10. The production value of error_reporting has been changed to E_ALL | ~E_DEPRECATED. I guess you mean E_ALL & ~E_DEPRECATED smime.p7s Description: S/MIME cryptographic signature
Re: [PHP-DEV] New INIs, Round Two.
hi, On Tue, Feb 17, 2009 at 02:02:35AM -0500, Eric Stewart wrote: > 14. A few other directives have been question but I don't have enough > experience with these particular settings so please weight in on them. > > extension_dir = "./" > enable_dl = On i'd be incredibly weary of this setting, even in a development environment. - if you have enable_dl on, a user can load an arbitrary .so into php's (and thus most often apache's) memory space. - if you have extension_dir = "./", then even open_basedir and similar built-in restrictions about the path of dl()'d .so extensions are no longer in effect, and the floodgates are opened for various types of external attacks. the biggest reason that this is problematic is that in the case of apache, you have raw access to all of apache's memory, including ssl keys, stored passwords, etc, which typically a php script will not have. sean signature.asc Description: Digital signature
Re: [PHP-DEV] New INIs, Round Two.
On Tue, Feb 17, 2009 at 10:12, sean finney wrote: > hi, > > On Tue, Feb 17, 2009 at 02:02:35AM -0500, Eric Stewart wrote: >> 14. A few other directives have been question but I don't have enough >> experience with these particular settings so please weight in on them. >> >> extension_dir = "./" >> enable_dl = On > > i'd be incredibly weary of this setting, even in a development environment. > > - if you have enable_dl on, a user can load an arbitrary .so into php's (and > thus most often apache's) memory space. dl() should indeed be disabled by default (and the NEWS entry says it is). dl() support has furthermore been removed from most SAPIs, and according to the NEWS entry it is only available for cli, cgi and embed. Actually, the docs and NEWS are a bit inconsistent on that, the docs say the function just raises E_DEPRECATED while the NEWS entry makes it sound like dl() simply wont work as apache module.. -Hannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] New INIs, Round Two.
On Tue, 2009-02-17 at 10:12 +0100, sean finney wrote: > hi, > > On Tue, Feb 17, 2009 at 02:02:35AM -0500, Eric Stewart wrote: > > 14. A few other directives have been question but I don't have enough > > experience with these particular settings so please weight in on them. > > > > extension_dir = "./" [...] > - if you have extension_dir = "./", then even open_basedir and similar > built-in restrictions about the path of dl()'d .so extensions are no > longer in effect, and the floodgates are opened for various types of > external attacks. extension_dir should be the compiled-in by default, at least on *nix. On windows maybe the installer can set it. So the value should be commented out. On *nix the reason is that the compiled in default (for example $prefix/lib/php/extensions/no-debug-non-zts-20090115) is used when compiling extensions using the phpize-way or pear installer so only with that value it will work out of the box. johannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] New INIs, Round Two.
14. A few other directives have been question but I don't have enough experience with these particular settings so please weight in on them. extension_dir = "./" enable_dl = On I think enable_dl should be off by default in both production and test environments. Aside from being a somewhat a security risk, I think our overall policy has been to discourage the use of dl() to dynamically load extensions into PHP. Ilia Alshanetsky -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] New INIs, Round Two.
Eric,
Should uncommented parameters that seem to have the default value be
commented out? For example "asp_tags" and "precision". If the
parameters don't always have the same default value everywhere, should
they be documented in Quick Reference section as having a different
value to the default?
Eric Stewart wrote:
> 4. I mistakenly had the development and production values of
> allow_call_time_pass_reference reversed. This error has been
> corrected.
I really think this should be Off in both cases to discourage use.
The doc http://www.php.net/ini.core says "This method is deprecated
and is likely to be unsupported in future versions of PHP/Zend."
> 10. The production value of error_reporting has been changed to E_ALL |
> ~E_DEPRECATED.
This should use '&', as Dave already pointed out on the list.
> 12. The oci8.events and oci8.old_oci_close_semantics example values now use
> the boolean constants.
Thanks.
> 13. Many people have asked why the links to the online documentation for
> each directive are specifically to the English version.
Regardless of the language issue, can the URLs consistently use "www"
instead of "us2"? At the moment both occur.
Can the generic case in this come first:?
; 6. Windows directory (C:\windows or C:\winnt), or --with-config-file-path
; compile time option.
i.e change it to
; 6. The directory from the --with-config-file-path compile time
; option, or the Windows directory (C:\windows or C:\winnt)
The general documentation could mention the use of variables as seen
in ext/standard/tests/general_functions/parse_ini_basic.{phpt,data}:
basicval = bar
var1 = ${basicval}
The general documentation could mention that absolute paths to
extensions are (now) supported:
extension=/path/to/extension.so
This should use "its" not "it's":
; PHP attempts to find and load this configuration from a number of locations.
; The following is a summary of it's search order:
The first "it's" below should be "its":
; php.ini-development is very similar to it's production variant, except it's
; much more verbose when it comes to errors.
This should be "its" in:
; php.ini-production contains settings which hold security, performance and
; best practices at it's core.
Ditto in:
; Turning on this setting and managing it's maximum buffer size can yield some
Ditto in:
; Integer = Enables the buffer and sets it's maximum size in bytes.
Ditto in:
; this to 1 will cause PHP CGI to fix it's paths to conform to the spec. A
setting
There's an (existing) typo in this description, I guess "ignore
libjpeg warnings" was the intention:
; Tell the jpeg decode to libjpeg warnings and try to create
; a gd image.
Chris
--
Email: christopher.jo...@oracle.com Tel: +1 650 506 8630
Twitter: http://twitter.com/ghrdFree PHP Book: http://tinyurl.com/UGPOM
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-DEV] New INIs, Round Two.
Christopher,
I looked into the addition of the use of variables in the INI files and I
wasn't able to find much documentation on it. Also, I haven't been able to
play with them and see exactly how they work. For now I don't feel confident
in adding my own comments about it. If you want to write up the comments
about it, I'll be happy to include those.
Eric
On Tue, Feb 17, 2009 at 1:53 PM, Christopher Jones <
christopher.jo...@oracle.com> wrote:
>
> Eric,
>
> Should uncommented parameters that seem to have the default value be
> commented out? For example "asp_tags" and "precision". If the
> parameters don't always have the same default value everywhere, should
> they be documented in Quick Reference section as having a different
> value to the default?
>
> Eric Stewart wrote:
> > 4. I mistakenly had the development and production values of
> > allow_call_time_pass_reference reversed. This error has been
> > corrected.
>
> I really think this should be Off in both cases to discourage use.
> The doc http://www.php.net/ini.core says "This method is deprecated
> and is likely to be unsupported in future versions of PHP/Zend."
>
> > 10. The production value of error_reporting has been changed to E_ALL |
> > ~E_DEPRECATED.
>
> This should use '&', as Dave already pointed out on the list.
>
> > 12. The oci8.events and oci8.old_oci_close_semantics example values now
> use
> > the boolean constants.
>
> Thanks.
>
> > 13. Many people have asked why the links to the online documentation for
> > each directive are specifically to the English version.
>
> Regardless of the language issue, can the URLs consistently use "www"
> instead of "us2"? At the moment both occur.
>
> Can the generic case in this come first:?
>
> ; 6. Windows directory (C:\windows or C:\winnt), or
> --with-config-file-path
> ; compile time option.
>
> i.e change it to
>
> ; 6. The directory from the --with-config-file-path compile time
> ; option, or the Windows directory (C:\windows or C:\winnt)
>
> The general documentation could mention the use of variables as seen
> in ext/standard/tests/general_functions/parse_ini_basic.{phpt,data}:
>
> basicval = bar
> var1 = ${basicval}
>
> The general documentation could mention that absolute paths to
> extensions are (now) supported:
>
> extension=/path/to/extension.so
>
> This should use "its" not "it's":
>
> ; PHP attempts to find and load this configuration from a number of
> locations.
> ; The following is a summary of it's search order:
>
> The first "it's" below should be "its":
>
> ; php.ini-development is very similar to it's production variant, except
> it's
> ; much more verbose when it comes to errors.
>
> This should be "its" in:
>
> ; php.ini-production contains settings which hold security, performance
> and
> ; best practices at it's core.
>
> Ditto in:
>
> ; Turning on this setting and managing it's maximum buffer size can yield
> some
>
> Ditto in:
>
> ; Integer = Enables the buffer and sets it's maximum size in bytes.
>
> Ditto in:
>
> ; this to 1 will cause PHP CGI to fix it's paths to conform to the spec.
> A setting
>
> There's an (existing) typo in this description, I guess "ignore
> libjpeg warnings" was the intention:
>
> ; Tell the jpeg decode to libjpeg warnings and try to create
> ; a gd image.
>
> Chris
>
> --
> Email: christopher.jo...@oracle.com Tel: +1 650 506 8630
> Twitter: http://twitter.com/ghrdFree PHP Book:
> http://tinyurl.com/UGPOM
>
