Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:17016 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 66684 invoked by uid 1010); 29 Jun 2005 22:02:15 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 66668 invoked from network); 29 Jun 2005 22:02:15 -0000 Received: from unknown (HELO crynwr.com) (127.0.0.1) by localhost with SMTP; 29 Jun 2005 22:02:15 -0000 X-Host-Fingerprint: 192.203.178.14 ns1.crynwr.com Linux 2.0.3x (1) Received: from ([192.203.178.14:1849] helo=ns1.crynwr.com) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id 4E/95-42553-66A13C24 for ; Wed, 29 Jun 2005 18:02:15 -0400 Received: (qmail 17383 invoked from network); 29 Jun 2005 22:02:08 -0000 Received: from dpc6745223014.direcpc.com (HELO desk.crynwr.com) (67.45.223.14) by pdam.crynwr.com with SMTP; 29 Jun 2005 22:02:08 -0000 Received: (qmail 5774 invoked by uid 500); 29 Jun 2005 22:01:30 -0000 Comment: DomainKeys? See http://antispam.yahoo.com/domainkeys DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dog; d=crynwr.com; b=NUM2sxJu1IMh7T20gVXYKY+ZTOPFeLJ8LuDr1ZQOnhFFoOYealb7a+YWu2Xul14L ; MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <17091.6714.614244.751950@desk.crynwr.com> Date: Wed, 29 Jun 2005 18:01:30 -0400 To: internals@lists.php.net In-Reply-To: References: <42BDDC82.6020208@ohgaki.net> <42C0CF76.6090203@lerdorf.com> <42C0F4DA.4000605@php.net> <17089.18702.450236.614561@desk.crynwr.com> <1119998580.13690.109.camel@localhost> <17089.63833.772427.529013@desk.crynwr.com> <42C1FF2A.4000006@fission.org.uk> <17090.9316.148303.68882@desk.crynwr.com> <30bd802405062822091191c8fc@mail.gmail.com> <17090.15074.92337.224192@desk.crynwr.com> X-Mailer: VM 7.17 under 21.4 (patch 17) "Jumbo Shrimp" XEmacs Lucid Subject: Re: [PHP-DEV] allow_url_fopen should be INI_ALL From: nelson@crynwr.com (Russell Nelson) Nelson Menezes writes: > The potential for inclusion of malicious code is, if > anything, a common oversight, not a design flaw. If it's a common oversight, then it *is* a design flaw. > 1. Create an INI_ALL variable that means something like "allow fopen > wrappers in include/require" and default it to whatever is thought > appropriate -- if it *is* a very common oversight, maybe false. That would solve the problem. You could still use the sharp edges of 'include', but you would have to take the sheath off first. Does anyone disagree with Nelson's suggestion? If I wrote the patch, who should I submit it to? It ought to be pretty small, so I could post it here, but that's probably not right. -- --My blog is at blog.russnelson.com | If you want to find Crynwr sells support for free software | PGPok | injustice in economic 521 Pleasant Valley Rd. | +1 315-323-1241 | affairs, look for the Potsdam, NY 13676-3213 | | hand of a legislator.