Skip to content

Remove hint to security purpose #5150

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Remove hint to security purpose #5150

wants to merge 2 commits into from

Conversation

jsmmo
Copy link
Contributor

@jsmmo jsmmo commented Feb 5, 2020

This is a doc PR related to: php/doc-en#34

@jsmmo jsmmo mentioned this pull request Feb 5, 2020
Closed
@nikic
Copy link
Member

nikic commented Feb 5, 2020

To provide some context: Per our security policy, only issues that have a potential for remote exploitation are subject to the security policy. We consider the case where the attacker has full code execution privileges on the server to be a lost cause. Features like "open_basedir" and "disable_functions" are there to prevent mistakes, not to foil a determined "attacker". (Mistakes like: Accidentally deploying development tooling that performs shell calls.)

I started a discussion on removing open_basedir in the past, but the general consensus seems to be that this is still a helpful feature, even if it is understood that it is not a hard security guarantee.

So, this change is fine from my side, but I'm going to leave this PR open for a bit, in case there are more comments.

@php-pulls php-pulls closed this in 038ca4b Feb 10, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Girgias Girgias Girgias approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jsmmo @nikic @Girgias