PHP :: Bug #35308 :: Suggestions for improving security note documentation

Bug #35308	Suggestions for improving security note documentation
Submitted:	2005-11-21 06:34 UTC	Modified:	2008-03-19 13:36 UTC
From:	cjbj at hotmail dot com	Assigned:
Status:	Wont fix	Package:	Website problem
PHP Version:	Irrelevant	OS:	n/a
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	cjbj at hotmail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2005-11-21 06:34 UTC] cjbj at hotmail dot com

Description:
------------
The phrasing in http://www.php.net/security-note.php has caused
confusion in at least one database administrator's mind about the
safeness of PHP.  See
  http://forums.oracle.com/forums/thread.jspa?threadID=340485
for one report of confusion.

Can the fourth paragraph of the security note be modied to read

    For Local exploits we mostly hear about open_basedir or
    safemode problems on shared virtual hosts.  These two
    features are there as a convenience to system administrators
    and should in no way be thought of as a complete security
    framework.  With all the 3rd-party libraries you can hook
    into PHP and all the creative ways you can trick these
    libraries into accessing files, it is impossible to guarantee
    security with these directives.  The CURL extension is a
    library that allows local file system access despite the
    value of open_basedir.  Another example is that Oracle
    Database can be configured to allow local files to be loaded
    into the database.  Access control is handled by Oracle and
    is not under control of PHP.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-01-07 08:30 UTC] bjori@php.net

Reclassified as documentation problem.

[2007-08-20 13:07 UTC] vrana@php.net

This page is not a part of Documentation.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Apr 20 00:01:27 2024 UTC