Robert Cummings wrote: > On Fri, 2007-01-05 at 22:07 +0100, Jochem Maas wrote: ... >>> `---- >>> >>> In my opinion include() should respect symlinks to directories and not >>> dereference them before finding the file to include. Or am I wrong here? >> I have tested using your exact description and get the result, you can >> be fairly certain this is not something specific to your server/machine. >> >> I would tend to agree with your premise - but the php devs may have >> decided against this behaviour on purpose. > > PHP needs to dereference symlinks so it knows exactly where it is in > case of security violations. This prevents symlinking into paths for > which you don't have access... especially important on shared hosts. (what's a shared host? ;-) that explains why - open_base_dir (right?) - but it sounds shoddy, surely php should just be dereferencing within the confines of the security violation check. (and crap out if the check fails) but if the check succeeds the symlink referencing should honoured for the remainder of play? (or maybe that would be a nightmare to implement or just plain slow at runtime?) I realise open_base_dir fills a need left by the lack of ability to run as a webserver module in the context of a specific user on a per client basis - but really this kind of stuff needs to be done at the system level - in a perfect world php would not have to go near any security checks of this ilk. another thing is that I don't have open_base_dir set to anything - there is no restriction defined so there is can be no violation in the context of php's security check - so why do the check at all (and therefore why deference the symlink) and then there is the issue of the fact that I was testing this with the CLI, no freaking webserver in sight, and therefore running purely within the context of the user I was logged in as not the webserver's user. I realise I may be thinking rather simplistically about this so I welcome any insight :-) then again if I've raised some points which *might* be valid then maybe there is still a case for asking a php-dev's opinion? > > Cheers, > Rob. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
