Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16983 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56210 invoked by uid 1010); 29 Jun 2005 04:33:36 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 56195 invoked from network); 29 Jun 2005 04:33:36 -0000 Received: from unknown (HELO crynwr.com) (127.0.0.1) by localhost with SMTP; 29 Jun 2005 04:33:36 -0000 X-Host-Fingerprint: 192.203.178.14 ns1.crynwr.com Linux 2.0.3x (1) Received: from ([192.203.178.14:1495] helo=ns1.crynwr.com) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id 46/1A-00424-F9422C24 for ; Wed, 29 Jun 2005 00:33:36 -0400 Received: (qmail 16591 invoked from network); 29 Jun 2005 04:33:11 -0000 Received: from dpc6745223014.direcpc.com (HELO desk.crynwr.com) (67.45.223.14) by pdam.crynwr.com with SMTP; 29 Jun 2005 04:33:11 -0000 Received: (qmail 1953 invoked by uid 500); 29 Jun 2005 04:32:36 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dog; d=crynwr.com; b=lX3TZgBRWtCQAsx3T0gqyNfJSmQEUi8JQlr+Zv5ecVPthrBjHopSWnvRFKrAvdZK ; MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17090.9316.148303.68882@desk.crynwr.com> Date: Wed, 29 Jun 2005 00:32:36 -0400 To: internals@lists.php.net In-Reply-To: <42C1FF2A.4000006@fission.org.uk> References: <42BDDC82.6020208@ohgaki.net> <17088.52397.92440.326561@desk.crynwr.com> <42C0CF76.6090203@lerdorf.com> <42C0F4DA.4000605@php.net> <17089.18702.450236.614561@desk.crynwr.com> <1119998580.13690.109.camel@localhost> <17089.63833.772427.529013@desk.crynwr.com> <42C1FF2A.4000006@fission.org.uk> X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid Subject: Re: [PHP-DEV] allow_url_fopen should be INI_ALL From: nelson@crynwr.com (Russell Nelson) Gareth Ardron writes: > To me, it's obvious that include includes a file - I see no obvious > determination that that file is either local or remote in the "include" > statement. Can you name some other languages in which 'include' has such incredibly sharp edges? C? Python? Perl? BASH? Sed? Awk? Pascal? BASIC? Is there *any* precedent for a language in which 'include' will fetch hostile code from a remote server and execute it? If you're going to argue that experienced programmers will understand that 'include' will fetch code, you should explain how their experience helps them. > Also, I think it's silly to make include into two functions as you > suggest given that the ability to include a remote file depends on the > fopen wrapper being enabled. If we were to follow this line of logic, we > would have two functions for every current one function which can use > the fopen wrappers. That's not my line of logic, so following it takes you off the map. > I think the documentation quite clearly states that /all/ functions that > deal with files may deal with remote files if the fopen wrappers are > enabled Why did both of my users miss that documentation? The facts seem to be in opposition to your assertion that "the documentation quite clearly states". > However, as I mention above, every single function that can use > fopen wrappers can be exploited in this way. Not true. You would need to have *another* security flaw (a bug in jpg or xml parsing) for hostile jpg or xml content to gain privileges. > It's unfortunate, but there's a lot of muppets out there who think > they can code Now you're blaming the victim. -- --My blog is at blog.russnelson.com | If you want to find Crynwr sells support for free software | PGPok | injustice in economic 521 Pleasant Valley Rd. | +1 315-323-1241 | affairs, look for the Potsdam, NY 13676-3213 | | hand of a legislator.