Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16986
Return-Path: <nicobn@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 76040 invoked by uid 1010); 29 Jun 2005 05:09:32 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 76024 invoked from network); 29 Jun 2005 05:09:32 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 29 Jun 2005 05:09:32 -0000
X-Host-Fingerprint: 64.233.162.204 zproxy.gmail.com Linux 2.4/2.6
Received: from ([64.233.162.204:22857] helo=zproxy.gmail.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id 37/DC-00424-A0D22C24 for <internals@lists.php.net>; Wed, 29 Jun 2005 01:09:30 -0400
Received: by zproxy.gmail.com with SMTP id i11so416139nzh
	for <internals@lists.php.net>; Tue, 28 Jun 2005 22:09:27 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
	s=beta; d=gmail.com;
	h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=GveQA1J5VxKTlf9D+L2lEmen/n+/WehkyVv+fMb3XXgoO+sFhFF/fJaaJfX4DpYaWxXJPTIiZrwLaABk4SqMFxjULkvqg50iMIhlPftAdXR0bZViwXHG0lGAhBTAEBLqsT25sLqLN47PBHVLk+vt28Gc7+nXoaNBG7wheRKhozE=
Received: by 10.36.158.10 with SMTP id g10mr6350364nze;
	Tue, 28 Jun 2005 22:09:27 -0700 (PDT)
Received: by 10.36.75.3 with HTTP; Tue, 28 Jun 2005 22:09:27 -0700 (PDT)
Message-ID: <30bd802405062822091191c8fc@mail.gmail.com>
Date: Wed, 29 Jun 2005 01:09:27 -0400
Reply-To: =?ISO-8859-1?Q?Nicolas_B=E9rard_Nault?= <nicobn@gmail.com>
To: Russell Nelson <nelson@crynwr.com>
Cc: internals@lists.php.net
In-Reply-To: <17090.9316.148303.68882@desk.crynwr.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <42BDDC82.6020208@ohgaki.net>
	<17088.52397.92440.326561@desk.crynwr.com>
	<42C0CF76.6090203@lerdorf.com> <42C0F4DA.4000605@php.net>
	<17089.18702.450236.614561@desk.crynwr.com>
	<1119998580.13690.109.camel@localhost>
	<17089.63833.772427.529013@desk.crynwr.com>
	<42C1FF2A.4000006@fission.org.uk>
	<17090.9316.148303.68882@desk.crynwr.com>
Subject: Re: [PHP-DEV] allow_url_fopen should be INI_ALL
From: nicobn@gmail.com (=?ISO-8859-1?Q?Nicolas_B=E9rard_Nault?=)

PHP is not, in my opinion, idiot-proof. You're right on that point.
Where our opinions differ is about what should be done about this.

If a programmer is not capable of controlling an user input, why then
should we trust him with anything ? A lot of other functions taking
user input as arguments could potentially be as damaging as this one.
I think if a programmer can't read a manual page about a so common
function, he deserves what he has. Yes, I'm feeling a bit
pre-conventionnal tonight.

As for the `rm -rf /` case, I think it's the best exemple. Why should
a hacker bother on exploiting an include stupidly called with user
input unfiltered when he can get straight to an unprotected
system($_GET['Whatever']). Are you suggesting that virtually _any_
function should be protected against stupidity ? What kind of language
PHP would be after that ?

On 6/29/05, Russell Nelson <nelson@crynwr.com> wrote:
> Gareth Ardron writes:
>  > To me, it's obvious that include includes a file - I see no obvious
>  > determination that that file is either local or remote in the "include=
"
>  > statement.
>=20
> Can you name some other languages in which 'include' has such
> incredibly sharp edges?  C? Python? Perl? BASH? Sed? Awk?  Pascal?
> BASIC?  Is there *any* precedent for a language in which 'include'
> will fetch hostile code from a remote server and execute it?  If
> you're going to argue that experienced programmers will understand
> that 'include' will fetch code, you should explain how their
> experience helps them.
>=20
>  > Also, I think it's silly to make include into two functions as you
>  > suggest given that the ability to include a remote file depends on the
>  > fopen wrapper being enabled. If we were to follow this line of logic, =
we
>  > would have two functions for every current one function which can use
>  > the fopen wrappers.
>=20
> That's not my line of logic, so following it takes you off the map.
>=20
>  > I think the documentation quite clearly states that /all/ functions th=
at
>  > deal with files may deal with remote files if the fopen wrappers are
>  > enabled
>=20
> Why did both of my users miss that documentation?  The facts seem to
> be in opposition to your assertion that "the documentation quite
> clearly states".
>=20
>  > However, as I mention above, every single function that can use
>  > fopen wrappers can be exploited in this way.
>=20
> Not true.  You would need to have *another* security flaw (a bug in
> jpg or xml parsing) for hostile jpg or xml content to gain privileges.
>=20
>  > It's unfortunate, but there's a lot of muppets out there who think
>  > they can code
>=20
> Now you're blaming the victim.
>=20
> --
> --My blog is at     blog.russnelson.com         | If you want to find
> Crynwr sells support for free software  | PGPok | injustice in economic
> 521 Pleasant Valley Rd. | +1 315-323-1241       | affairs, look for the
> Potsdam, NY 13676-3213  |                       | hand of a legislator.
>=20
> --
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20
>=20


--=20
Nicolas B=E9rard Nault (nicobn@gmail.com)
"Maybe nature is fundamentally ugly, chaotic and complicated. But if
it's like that, then I want out." -- Steven Weinberg (prix Nobel de
physique, 1979).