Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:103274 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 53726 invoked from network); 28 Sep 2018 16:40:53 -0000 Received: from unknown (HELO mail-wm1-f54.google.com) (209.85.128.54) by pb1.pair.com with SMTP; 28 Sep 2018 16:40:53 -0000 Received: by mail-wm1-f54.google.com with SMTP id o2-v6so2070296wmh.5 for ; Fri, 28 Sep 2018 05:49:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=devilix.net; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=39FqiX1tg0NgvmBk0WbxyswHQYrfHqD32R/UanqHCQM=; b=BtfcJ0amLtOkyVhKYTLgy0AFO38cHBKRjmJs1+SLF2WhCk5zcvxPqBCjCsBdBmBd4R TRZogymjw1rdJFAG37NhhEnfyqp/QZTrs70XXOXZvC57MFogu9mCzpO50S7RYgvdSiux mUHeE9qc/5TJ2u39rFvxNx/08F0NRsDo2j8bs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=39FqiX1tg0NgvmBk0WbxyswHQYrfHqD32R/UanqHCQM=; b=O9hYKKYvqtsB9dKc0tl4cw4YnJ3OoEPbF1r1ZRGR+gEfkrcLLIT7LMwSaItDLRai+/ xLBpYyA81t4Sow1vWSGE7rkETVM3Hc34CU4BfyTP/W67rw63wwcdQtn1LndJmk4wcbUS vGeqJ5OSevbFFiGJZq+MAnmz05TbOzZjSaXuaVX4QjYwcA3LZsxVh20nYP3GbzaeGGAo Rk38yc+BwF+KvJrSYAWIQD23VfXUoopiFIA8Cfws8N4nWedgC+IJDn4JmCFhp5Bqq12c t2ihmYW5bBOnPzVkRfloOz0ht1+Vxq3mXoi8iwdEVYg3/RfVTOV11yMPMS6mJlUYs88W Mu6w== X-Gm-Message-State: ABuFfogI+ibCOeqAJLAmZDYehVHZ7RpVVHEeouab1MKRLRaL1OGA7AVG DoBuJ4TA8Ar/anwrmVt4lBWiH4K3RIfwEWofUsJvfQ== X-Google-Smtp-Source: ACcGV63oA9sAXtAcukA8nRSF59S+4anl5YhRsPqYhCiy39A+MYuhrazm8lct6cCogUr0Gr0sEUE59Q4+3NNfy53jLhk= X-Received: by 2002:a1c:603:: with SMTP id 3-v6mr1633564wmg.64.1538138969920; Fri, 28 Sep 2018 05:49:29 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a5d:438f:0:0:0:0:0 with HTTP; Fri, 28 Sep 2018 05:49:29 -0700 (PDT) In-Reply-To: References: Date: Fri, 28 Sep 2018 15:49:29 +0300 Message-ID: To: Arnold Daniels Cc: PHP Internals Content-Type: text/plain; charset="UTF-8" Subject: Re: [PHP-DEV] Add FILTER_VALIDATE_INCLUDE validation filter for variable includes From: narf@devilix.net (Andrey Andreev) Hi, On Mon, Sep 24, 2018 at 2:21 PM, Arnold Daniels wrote: > > > Please have a look at > * https://wiki.php.net/rfc/script_only_include - PHP RFC: Introduce script > only include/require > * https://wiki.php.net/rfc/allow_url_include - PHP RFC: Precise URL include > control > > Both describe the problem and possible solutions. > > Also see > https://www.exploit-db.com/search/?action=search&q=file+inclusion&platform=31 > > Using the filter extension is an alternative solution, which doesn't require > changing the PHP syntax. > That's really not the clear example I was looking for. But that's ok ... I believe I've made my point already. Hopefully your emails are getting through to the list and others can get involved. Cheers, Andrey.