> Managing PHP libraries, security policy about include() > ----------------------------------------------------------------- > > When you provide some php scrips in your package, you are likely to > find some include() statements in some scripts. There must be a > discussion around the secrity issues about that, as it can sometimes > lead to security holes[1]. > > 1: http://lists.debian.org/debian-security/2005/04/msg00103.html another thing, that is related to what I said, is providing some "quality" criteriums to allow a php package to be in debian. the criteria about the include path is one, but I guess there is some others. PHP upstream does not recommends any 'best practices' (maybe except PEAR, but not everybody like those), and some php libs are totally unsound (I don't know if they are packaged in debian, but I've met some horrible things, and we should refuse such libs). e.g. an important criterium IMHO is the robusteness to magic_gpc_quote [1] settings and other such pleasant horrors of PHP (register_globals e.g.). But that is only some random thoughts though. [1] : here the point is for *libs* not for apps. I think we may be more tolerant wrt apps, but libraries *have* to behave well in any common PHP configuration. -- ·O· Pierre Habouzit ··O OOO http://www.madism.org
Attachment:
pgpP9zzloM_RD.pgp
Description: PGP signature