Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:17466 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 15890 invoked by uid 1010); 30 Jul 2005 01:28:49 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 15875 invoked from network); 30 Jul 2005 01:28:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 Jul 2005 01:28:48 -0000 X-Host-Fingerprint: 64.233.184.206 wproxy.gmail.com Linux 2.4/2.6 Received: from ([64.233.184.206:51308] helo=wproxy.gmail.com) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id 30/BA-04646-0D7DAE24 for ; Fri, 29 Jul 2005 21:28:48 -0400 Received: by wproxy.gmail.com with SMTP id 36so418269wri for ; Fri, 29 Jul 2005 18:28:45 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Okdb//ShoCJvgaO6Gt5q1FlfLh2a/Lmfpom3fjd+VUJ287JZVNqb7aor3TAMbOZUT7pnntiJtjlSLZ9eM0934wMsJCHmfvsPOCenNTG8ifdd7HFhF+uMv01EFH+ab9Jwk0AZfmV6Wy5svXEy5wqF52FeldrklLY8GrEzTOM6TzU= Received: by 10.54.59.33 with SMTP id h33mr713522wra; Fri, 29 Jul 2005 18:28:45 -0700 (PDT) Received: by 10.54.17.52 with HTTP; Fri, 29 Jul 2005 18:28:45 -0700 (PDT) Message-ID: <6ec19ec705072918287560b839@mail.gmail.com> Date: Fri, 29 Jul 2005 21:28:45 -0400 To: internals@lists.php.net In-Reply-To: <5c28747205072809046e701444@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <4e89b42605072713575d8f0d57@mail.gmail.com> <04.A5.58254.87408E24@pb1.pair.com> <5.1.0.14.2.20050728160915.04ea3b80@localhost> <5.1.0.14.2.20050728162510.046bc880@localhost> <5.1.0.14.2.20050728164452.064d3de0@localhost> <5.1.0.14.2.20050728165422.0463cec0@localhost> <42E8E6A8.3020709@prohost.org> <42E8E7C5.2040603@caedmon.net> <5c28747205072809046e701444@mail.gmail.com> Subject: Re: [PHP-DEV] Re: SOAP SSL support doesn't work when allow_url_fopen is turned off From: preinheimer@gmail.com (Paul Reinheimer) Since comments comments were called for I thought I might weigh in with my $0.02cdn When configuring PHP I want a way to protect myself, and my users from themselves when it comes to doing something silly, I've actually seen include($_GET['function']) in running code, though thankfully never on one of my projects. I would like to be able to prevent something like this from happening at the .ini level, wether thats allow_url_fopen or some other setting doesn't really matter. Beyond that, I'm only mildly interested in granularity, and then probably at the user/directory of execution level rather than the particular function level. So something like: allow_users_to_be_foolish(yes/no) -> disable remote file loading in include/require allow_remote_data_retreival(yes/no) -> disable remote file retreival with fopen, file_get_contents, streams, etc. If you're setting this option don't bother installing --with-curl, problem solved. Would suit me fine. Being able to do that in .htaccess or within some other apache based structure would be great, but not really needed. I agree with the previously mentioned "If their aim is that good, they deserve to be shot in the foot" completely paul On 7/28/05, Jason Sweat wrote: > On 7/28/05, Sean Coates wrote: > > >> That won't work, eval() is not a function... > > > > > > Ah yes, you're right... I guess we do need another INI setting. > > > > Or constructs-that-look-like-functions could be governed by > > disable_functions (eval, echo).. that would cause other problems (like = a > > disabled "return"), though. > > > > S >=20 > I think Zeev's earlier comment about "If their aim is that good, they > deserve to be shot in the foot" applies equally well to "disabled > "return" " >=20 > Regards, > Jason >=20 > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20 >=20 --=20 Paul Reinheimer