Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:11545 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11465 invoked by uid 1010); 24 Jul 2004 16:30:53 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 11318 invoked from network); 24 Jul 2004 16:30:52 -0000 Received: from unknown (HELO xaxa.search.ch) (195.141.85.117) by pb1.pair.com with SMTP; 24 Jul 2004 16:30:52 -0000 Received: from localhost (localhost [127.0.0.1]) by xaxa.search.ch (Postfix) with ESMTP id 50CDE6D85D; Sat, 24 Jul 2004 18:30:52 +0200 (CEST) Received: by xaxa.search.ch (Postfix, from userid 65534) id EF5906D875; Sat, 24 Jul 2004 18:30:50 +0200 (CEST) Received: from cschneid.com (ultrafilter-i [192.168.85.2]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by xaxa.search.ch (Postfix) with ESMTP id 5AD1F6D85D; Sat, 24 Jul 2004 18:30:50 +0200 (CEST) Message-ID: <41028EB9.6070100@cschneid.com> Date: Sat, 24 Jul 2004 18:30:49 +0200 User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114 X-Accept-Language: en-us, en, de-ch, de MIME-Version: 1.0 To: Stefan Esser Cc: internals@lists.php.net References: <5.1.0.14.2.20040724003444.034ea690@127.0.0.1> <41027EA5.2000007@php.net> <4102834F.9080707@cschneid.com> <4102862B.9000107@php.net> In-Reply-To: <4102862B.9000107@php.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on xaxa.search.ch X-Spam-Level: X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham version=2.63 X-Virus-Scanned: by AMaViS 0.3.12pre8 Subject: Re: [PHP-DEV] Everyone on the road? From: cschneid@cschneid.com (Christian Schneider) Stefan Esser wrote: > This is no legal unix path, because index.php is a file and not a Oops, missed that part of the path, just looked at the .. :-) > And to understand the security impact: > include "./foo/bar/template_".$userinput; ... which I'd consider bad practice anyway but that's another story :-) - Chris