Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16999
Return-Path: <Derrell.Lipman@UnwiredUniverse.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84271 invoked by uid 1010); 29 Jun 2005 13:21:52 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 84255 invoked from network); 29 Jun 2005 13:21:52 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 29 Jun 2005 13:21:52 -0000
X-Host-Fingerprint: 66.92.75.243 dsl092-075-243.bos1.dsl.speakeasy.net Linux 2.4/2.6
Received: from ([66.92.75.243:4129] helo=amber.vis-av.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id 71/52-00424-F60A2C24 for <internals@lists.php.net>; Wed, 29 Jun 2005 09:21:51 -0400
Received: (qmail 25290 invoked from network); 29 Jun 2005 13:21:47 -0000
Received: from unknown (HELO random.internal) (192.168.1.9)
	by amber.internal with SMTP; 29 Jun 2005 13:21:47 -0000
Received: (nullmailer pid 27017 invoked by uid 0);
	Wed, 29 Jun 2005 13:21:42 -0000
To: Jani Taskinen <sniper@iki.fi>
Cc: Russell Nelson <nelson@crynwr.com>, internals@lists.php.net
References: <42BDDC82.6020208@ohgaki.net>
	<17088.52397.92440.326561@desk.crynwr.com>
	<42C0CF76.6090203@lerdorf.com> <42C0F4DA.4000605@php.net>
	<17089.18702.450236.614561@desk.crynwr.com>
	<42C225F7.1060201@lerdorf.com>
	<17090.14242.815242.149673@desk.crynwr.com>
	<Pine.LNX.4.61.0506290919310.17486@arfg.argcubovn.sv>
Reply-To: Derrell.Lipman@UnwiredUniverse.com
Date: Wed, 29 Jun 2005 09:21:42 -0400
In-Reply-To: <Pine.LNX.4.61.0506290919310.17486@arfg.argcubovn.sv> (Jani
	Taskinen's message of "Wed, 29 Jun 2005 09:19:57 +0300 (EEST)")
Message-ID: <3br12t95.fsf@random.internal>
User-Agent: Gnus/5.110003 (No Gnus v0.3) XEmacs/21.4.17 (linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Subject: Re: [PHP-DEV] allow_url_fopen should be INI_ALL
From: Derrell.Lipman@UnwiredUniverse.com

Jani Taskinen <sniper@iki.fi> writes:

>     Please troll, do you go away if I close my eyes?

That's not fair.  Russell is providing strong arguments and rebuttals for
every point.  You may not agree with his points, but what he's doing is not
trolling.  This discussion seems to have strong backing on both sides of the
issue.

There has been an argument made during this discussion that the include()
construct does exactly as it is documented to do, and therefore the security
concerns are not warranted.  I have a bit of a problem with that argument:

The PHP documentation is really good -- some of the best of all the
open-source projects I've seen -- but there is so much documentation (and so
many capabilities of the language) that expecting people to read it all is
unreasonable.  PHP is sufficiently like C (a "good thing", I believe) that
experienced C developers can write code in PHP, and reference the
documentation when something doesn't work.

I've been developing PHP code for about 5 years, and have been a software
engineer working with many languages (but primarily C) for the past 25 years.
Although I validate all user input in PHP so I've never been bitten by this
problem, I was surprised when this topic started, that include() could access
remote files.  Yes, I probably knew it 5 years ago, but include() has a basic
meaning in all other languages I've used, and I would have expected it to work
the same way in PHP.

Someone suggested that if include() were insecure, then maybe system() is as
well.  I think I have to disagree with the comparison.  Anyone using system()
in any language expects the potential for nasty effects if the parameter is
nasty, so it would be clear that the developer needs to be extremely careful.
If include() could include only local files as is done in other languages (and
as many -- most? -- developers would expect), then it would be much less
dangerous.

Derrell