Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26318 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 33031 invoked by uid 1010); 4 Nov 2006 09:32:57 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 33016 invoked from network); 4 Nov 2006 09:32:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Nov 2006 09:32:57 -0000 Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender) X-PHP-List-Original-Sender: stas@zend.com X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4) Received: from [212.25.124.162] ([212.25.124.162:48771] helo=mail.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CA/50-29919-44E5C454 for ; Sat, 04 Nov 2006 04:32:55 -0500 Received: (qmail 10553 invoked from network); 4 Nov 2006 09:31:25 -0000 Received: from unknown (HELO ?127.0.0.1?) (192.168.2.101) by internal.zend.office with SMTP; 4 Nov 2006 09:31:25 -0000 Message-ID: <454C5E50.4030108@zend.com> Date: Sat, 04 Nov 2006 01:33:04 -0800 Organization: Zend Technologies User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: 'PHP Internals' Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: allow_url_include and php:/data: From: stas@zend.com (Stanislav Malyshev) Stefan Esser writes here: http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html that allow_url_include (and allow_url_fopen) can be easily worked around - i.e. extrenally-supplied code executed on server - by using php: and data: URLs. I think if we want allow_url_include have any value than we should fix it... What do you think? -- Stanislav Malyshev, Zend Products Engineer stas@zend.com http://www.zend.com/