On Fri, 2006-03-03 at 09:00 -0600, David Johnson wrote: > The policy document looks great and carefully thought out. We have not > finished our package development and released it yet, so we're not certain. > One question is in regards to PHP configuration. For example our > application requires "register_global" to be turned on in PHP (which has > sufficient security structure in place where this is not a problem for us). > What approach should we take here? There are ways to turn register_globals off for specific paths or locations on your webserver, at least in Apache. You could advise the users of your package to do that, and be sure to mention that they should not turn it on site-wide. I'm wondering however why your application requires it; I see no need for any modern application to use that setting since there are good alternatives available that are safe by design. bye, Thijs
Attachment:
signature.asc
Description: This is a digitally signed message part