> Managing PHP libraries, security policy about include()
> -----------------------------------------------------------------
>
> When you provide some php scrips in your package, you are likely to
> find some include() statements in some scripts. There must be a
> discussion around the secrity issues about that, as it can sometimes
> lead to security holes[1].
>
> 1: http://lists.debian.org/debian-security/2005/04/msg00103.html
another thing, that is related to what I said, is providing some
"quality" criteriums to allow a php package to be in debian.
the criteria about the include path is one, but I guess there is some
others. PHP upstream does not recommends any 'best practices' (maybe
except PEAR, but not everybody like those), and some php libs are
totally unsound (I don't know if they are packaged in debian, but I've
met some horrible things, and we should refuse such libs).
e.g. an important criterium IMHO is the robusteness to magic_gpc_quote
[1] settings and other such pleasant horrors of PHP (register_globals
e.g.).
But that is only some random thoughts though.
[1] : here the point is for *libs* not for apps. I think we may be more
tolerant wrt apps, but libraries *have* to behave well in any
common PHP configuration.
--
·O· Pierre Habouzit
··O
OOO http://www.madism.org
Attachment:
pgpP9zzloM_RD.pgp
Description: PGP signature