Do not disable phar.readonly

Question

Do not disable phar.readonly

dktapps opened this issue 3 years ago · 3 comments

Disabling phar.readonly is only useful when using DevTools to compile a plugin. The rest of the time, disabling it creates security vulnerabilities and potential for the wackiest of bugs.

Case in point: https://discord.com/channels/373199722573201408/480650036972224513/908536847272120372

Answer 1 · 2021-11-19T14:56:15.000Z

So you are suggesting that we make devtools unusable by default?

Answer 2 · 2021-11-19T14:57:36.000Z

Building a plugin by starting a server was always a stupid idea to begin with.
Building offline is just a case of passing -dphar.readonly=0 to php.

Answer 3 · 2021-11-19T14:58:31.000Z

In addition, enabling it for everyone just for the minority of users that actually need it makes as little sense as including Composer into the PHP builds, which we already stopped doing a long time ago.