Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:11542
Return-Path: <cschneid@cschneid.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 27482 invoked by uid 1010); 24 Jul 2004 15:42:09 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 27457 invoked from network); 24 Jul 2004 15:42:09 -0000
Received: from unknown (HELO xaxa.search.ch) (195.141.85.117)
  by pb1.pair.com with SMTP; 24 Jul 2004 15:42:09 -0000
Received: from localhost (localhost [127.0.0.1])
	by xaxa.search.ch (Postfix) with ESMTP
	id 2F5D96CF9D; Sat, 24 Jul 2004 17:42:09 +0200 (CEST)
Received: by xaxa.search.ch (Postfix, from userid 65534)
	id F3E136DB12; Sat, 24 Jul 2004 17:42:07 +0200 (CEST)
Received: from cschneid.com (ultrafilter-i [192.168.85.2])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by xaxa.search.ch (Postfix) with ESMTP
	id 7AB0E6CF9D; Sat, 24 Jul 2004 17:42:07 +0200 (CEST)
Message-ID: <4102834F.9080707@cschneid.com>
Date: Sat, 24 Jul 2004 17:42:07 +0200
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114
X-Accept-Language: en-us, en, de-ch, de
MIME-Version: 1.0
To: Stefan Esser <sesser@php.net>
Cc: Rasmus Lerdorf <rasmus@php.net>, internals@lists.php.net
References: <5.1.0.14.2.20040724003444.034ea690@127.0.0.1> <Pine.LNX.4.58.0407240737040.28603@thinkpad.lerdorf.com> <41027EA5.2000007@php.net>
In-Reply-To: <41027EA5.2000007@php.net>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on xaxa.search.ch
X-Spam-Level: 
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham 
	version=2.63
X-Virus-Scanned: by AMaViS 0.3.12pre8
Subject: Re: [PHP-DEV] Everyone on the road?
From: cschneid@cschneid.com (Christian Schneider)

Stefan Esser wrote:
> Realpath is not only slow, it is also "dangerous" on some systems like 
> linux where it also works on paths that are not really existing.
> 
> example:   include "./foo/bar/index.php/../../../../../../etc/passwd";

This is a completely legal unix path as .. in / is / again. And from a 
security point of view I'd say the only thing you gain by disallowing 
this is that the number of .. in the path have to be guessed (pretty 
easily) by the attacker.

Or am I missing something here?

Not that I can see the benefit of a home-grown realpath() :-)

- Chris