php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35308 Suggestions for improving security note documentation
Submitted: 2005-11-21 06:34 UTC Modified: 2008-03-19 13:36 UTC
From: cjbj at hotmail dot com Assigned:
Status: Wont fix Package: Website problem
PHP Version: Irrelevant OS: n/a
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-11-21 06:34 UTC] cjbj at hotmail dot com
Description:
------------
The phrasing in http://www.php.net/security-note.php has caused
confusion in at least one database administrator's mind about the
safeness of PHP.  See
  http://forums.oracle.com/forums/thread.jspa?threadID=340485
for one report of confusion.

Can the fourth paragraph of the security note be modied to read

    For Local exploits we mostly hear about open_basedir or
    safemode problems on shared virtual hosts.  These two
    features are there as a convenience to system administrators
    and should in no way be thought of as a complete security
    framework.  With all the 3rd-party libraries you can hook
    into PHP and all the creative ways you can trick these
    libraries into accessing files, it is impossible to guarantee
    security with these directives.  The CURL extension is a
    library that allows local file system access despite the
    value of open_basedir.  Another example is that Oracle
    Database can be configured to allow local files to be loaded
    into the database.  Access control is handled by Oracle and
    is not under control of PHP.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-07 08:30 UTC] bjori@php.net
Reclassified as documentation problem.
 [2007-08-20 13:07 UTC] vrana@php.net
This page is not a part of Documentation.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Jul 23 18:01:30 2024 UTC