Hacker News new | past | comments | ask | show | jobs | submit login

The lack of `chroot`[1] makes me sad off the bat - for some reason that function seems like a secret, everyone actually wants to use it (or wanted to before autoloading became as easy as it is) but nobody did.

Additionally I'd love to see that file split up into smaller chunks simply to lower the scope of thought.

It looks like nearly all of those function calls are modifying variables passed by reference instead of resolving the value out via `return` this isn't bad and is indistinguishable at a technical level in terms of functionality, but it's a kind of horrible approach from expressability.

They're doing things with datetime that are unsafe and wrong (like assuming 246060 is the number of seconds in a day) but people getting datetime logic wrong is as old as... well time.

Oh, and you've got some pretty bizarre looking function signatures - I'm sure there is a reason for this but I'd want to ask some questions about this one...

    $permissions = privacy_get_reduced_network_permissions($user, $user);
It's possible to go through this and nitpick a bunch of stuff, it looks like it's mostly just an older style though. The big problems aren't here though... I'm not seeing any reads into $_POST (and `param_get_slashed` looks like a nice function for sanitizing input) - additionally, I'm not seeing a single line of SQL nor am I seeing any memcached calls, so the data access layer may already be well isolated architecturally.

1. https://www.php.net/manual/en/function.chroot.php




`chroot()` has no place in a web application. The system call requires the process to be running as root.


Can you call that and then drop permissions?


In theory, yes. But that's still bad, because it means that a nontrivial amount of your application code (as well as whatever is launching it, like the PHP-FPM server or the web server) is running as root.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: