PHP :: Bug #35308 :: Suggestions for improving security note documentation

Bug #35308	Suggestions for improving security note documentation
Submitted:	2005-11-21 06:34 UTC	Modified:	2008-03-19 13:36 UTC
From:	cjbj at hotmail dot com	Assigned:
Status:	Wont fix	Package:	Website problem
PHP Version:	Irrelevant	OS:	n/a
Private report:	No	CVE-ID:	None

View Developer Edit

[2005-11-21 06:34 UTC] cjbj at hotmail dot com

Description:
------------
The phrasing in http://www.php.net/security-note.php has caused
confusion in at least one database administrator's mind about the
safeness of PHP.  See
  http://forums.oracle.com/forums/thread.jspa?threadID=340485
for one report of confusion.

Can the fourth paragraph of the security note be modied to read

    For Local exploits we mostly hear about open_basedir or
    safemode problems on shared virtual hosts.  These two
    features are there as a convenience to system administrators
    and should in no way be thought of as a complete security
    framework.  With all the 3rd-party libraries you can hook
    into PHP and all the creative ways you can trick these
    libraries into accessing files, it is impossible to guarantee
    security with these directives.  The CURL extension is a
    library that allows local file system access despite the
    value of open_basedir.  Another example is that Oracle
    Database can be configured to allow local files to be loaded
    into the database.  Access control is handled by Oracle and
    is not under control of PHP.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-01-07 08:30 UTC] bjori@php.net

Reclassified as documentation problem.

[2007-08-20 13:07 UTC] vrana@php.net

This page is not a part of Documentation.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Nov 03 10:00:02 2025 UTC