[TYPO3-core] RFC #9474: Integrate OpenID authentication support to TYPO3

Xavier Perseguers typo3 at perseguers.ch
Mon Oct 13 20:06:01 CEST 2008 

Hi Ingo,

>> No. Taking care of proper configuration would force me to allow read 
>> of /dev/urandom which you cannot force, this is why Dmitry added tests 
>> to use /dev/random instead or the built-in PNRG. If you leave this 
>> without the @ sign (which BTW is already present in many part of the 
>> core), then you force me (or any other administrator) to modify the 
>> source code before being able to use it as I won't allow access to 
>> /dev/urandom to my customers. It removes entropy on my server and 
>> could be used as part of an attack if my server is not able to regain 
>> entropy quickly enough
> 
> again, you're mixing things up, you get that error because you're not in 
> a standard environment, a default PHP environment will not throw errors, 
> and even yours shouldn't according to the function's documentation...

Make the test yourself...

>> This is a warning, not an error message and warning should be 
>> suppressed in proper coding, this is why I submitted this patch to 
>> Dmitry which agreed.
> 
> A warning also has a reason, it also tells you that something isn't 
> right... do not surpress errors (except for live environments)

I really do not understand why you are against this @. It really does 
not make sense for me and what BTW is a standard PHP environment? Does 
it mean nobody should try to secure his server when using TYPO3? I have 
a hardened configuration with open_basedir, suhosin and mod_security and 
it simply works great. I do not understand why you would like me to 
lower security just because is_readable() does not take care of handling 
correctly open_basedir restrictions and when a simple @ removing this 
warning would make everybody happy.

Once again, I cannot believe that you are against the @. Did you test 
the behaviour? BTW it was already reported by me on another part, in DAM 
context with the registration of a service and use of is_executable 
which does not honor either the open_basedir and it was approved by core 
team.

-- 
Xavier Perseguers
http://xavier.perseguers.ch/en

More information about the TYPO3-team-core mailing list