Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26326 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 86196 invoked by uid 1010); 4 Nov 2006 20:40:13 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 86180 invoked from network); 4 Nov 2006 20:40:13 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Nov 2006 20:40:13 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.5 (sometimes 2.4) (4) Received: from [204.11.219.139] ([204.11.219.139:33570] helo=lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 59/FC-31937-7AAFC454 for ; Sat, 04 Nov 2006 15:40:11 -0500 Received: from [192.168.200.104] (c-67-169-43-97.hsd1.ca.comcast.net [67.169.43.97]) (authenticated bits=0) by lerdorf.com (8.13.8/8.13.8/Debian-2) with ESMTP id kA4Ke14p008087; Sat, 4 Nov 2006 12:40:02 -0800 Message-ID: <454CFAA1.10104@lerdorf.com> Date: Sat, 04 Nov 2006 12:40:01 -0800 User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Stanislav Malyshev CC: "'PHP Internals'" References: <454C5E50.4030108@zend.com> In-Reply-To: <454C5E50.4030108@zend.com> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] allow_url_include and php:/data: From: rasmus@lerdorf.com (Rasmus Lerdorf) Stanislav Malyshev wrote: > Stefan Esser writes here: > http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html > > that allow_url_include (and allow_url_fopen) can be easily worked around > - i.e. extrenally-supplied code executed on server - by using php: and > data: URLs. I think if we want allow_url_include have any value than we > should fix it... What do you think? Yeah, we probably should. Had a chat with Wez about it too. Here is the patch. I think this catches the cases we are interested in: http://lerdorf.com/php/is_url.diff If someone could doublecheck it against those attacks it would be helpful. -Rasmus