#35308 [Opn]: Suggestions for improving security note documentation

ID:               35308
Updated by:       vrana@php.net
Reported By:      cjbj at hotmail dot com
Status:           Open
-Bug Type:         Documentation problem
+Bug Type:         Website problem
Operating System: n/a
PHP Version:      Irrelevant
New Comment:

This page is not a part of Documentation.


Previous Comments:
------------------------------------------------------------------------

[2007-01-07 08:30:40] bjori@php.net

Reclassified as documentation problem.

------------------------------------------------------------------------

[2005-11-21 06:34:56] cjbj at hotmail dot com

Description:
------------
The phrasing in http://www.php.net/security-note.php has caused
confusion in at least one database administrator's mind about the
safeness of PHP.  See
http://forums.oracle.com/forums/thr...threadID=340485
for one report of confusion.

Can the fourth paragraph of the security note be modied to read

For Local exploits we mostly hear about open_basedir or
safemode problems on shared virtual hosts.  These two
features are there as a convenience to system administrators
and should in no way be thought of as a complete security
framework.  With all the 3rd-party libraries you can hook
into PHP and all the creative ways you can trick these
libraries into accessing files, it is impossible to guarantee
security with these directives.  The CURL extension is a
library that allows local file system access despite the
value of open_basedir.  Another example is that Oracle
Database can be configured to allow local files to be loaded
into the database.  Access control is handled by Oracle and
is not under control of PHP.




------------------------------------------------------------------------


--
Edit this bug report at http://bugs.php.net/?id=35308&edit=1