Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16960
Return-Path: <nelson@crynwr.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 65327 invoked by uid 1010); 28 Jun 2005 12:57:28 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 65312 invoked from network); 28 Jun 2005 12:57:28 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 28 Jun 2005 12:57:28 -0000
X-Host-Fingerprint: 192.203.178.14 ns1.crynwr.com Linux 2.0.3x (1)
Received: from ([192.203.178.14:1252] helo=ns1.crynwr.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id 4A/D2-00424-73941C24 for <internals@lists.php.net>; Tue, 28 Jun 2005 08:57:28 -0400
Received: (qmail 17968 invoked from network); 28 Jun 2005 12:57:22 -0000
Received: from dpc6745223014.direcpc.com (HELO desk.crynwr.com) (67.45.223.14)
	by pdam.crynwr.com with SMTP; 28 Jun 2005 12:57:22 -0000
Received: (qmail 30982 invoked by uid 500); 28 Jun 2005 12:56:46 -0000
Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=dog; d=crynwr.com;
	b=lM2gCyk94dcnvfi2dRHTQhtlyQ7iCzikcFCgjPE4Kl4U6dV9SGRL3E3wRKvU9icR  ;
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <17089.18702.450236.614561@desk.crynwr.com>
Date: Tue, 28 Jun 2005 08:56:46 -0400
To: internals@lists.php.net
In-Reply-To: <42C0F4DA.4000605@php.net>
References: <42BDDC82.6020208@ohgaki.net>
	<17088.52397.92440.326561@desk.crynwr.com>
	<42C0CF76.6090203@lerdorf.com>
	<42C0F4DA.4000605@php.net>
X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid
Subject: Re: [PHP-DEV] allow_url_fopen should be INI_ALL
From: nelson@crynwr.com (Russell Nelson)

Stefan Esser writes:
 > I agree with Rasmus. Remote URL Includes are dieing out.

That's not what Rasmus said.

 > Most released advisories are SQL Injections nowadays and well maybe
 > Russells next mail says: mysql_query() considered harmful.

When the top Google result for 'php security flaw' returns
mysql_query() instead of include(), I will agree that you are correct.

 > Ohhh btw Russell, if you really consider include harmful, then simply 
 > install the Hardening-Patch for PHP and live with it.

I'm not trying to fix this for me.  Clearly there are at least a
half-dozen things I could do to fix the problem for myself[!].  I
believe that the problem's cause is the design of the language
intrinsic.  Therefore, fixing the problem for myself doesn't address
the cause of the problem.  It just prevents me from seeing the problem
anymore.  The problem is still there.

[!] The first six:
 1) rm -rf php
 2) don't allow my users access to php.
 3) audit all code written by my users.
 4) turn allow_url_fopen off.
 5) install Hardening.
 6) write my own patch removing url_fopen capability from 'include'.

-- 
--My blog is at     blog.russnelson.com         | If you want to find
Crynwr sells support for free software  | PGPok | injustice in economic
521 Pleasant Valley Rd. | +1 315-323-1241       | affairs, look for the
Potsdam, NY 13676-3213  |                       | hand of a legislator.