Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26327
Return-Path: <penguin@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 91103 invoked by uid 1010); 4 Nov 2006 21:13:23 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 91088 invoked from network); 4 Nov 2006 21:13:23 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 4 Nov 2006 21:13:23 -0000
Authentication-Results: pb1.pair.com smtp.mail=penguin@php.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=penguin@php.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain php.net from 85.235.23.12 cause and error)
X-PHP-List-Original-Sender: penguin@php.net
X-Host-Fingerprint: 85.235.23.12 kbhn-vbrg-sr0-vl207-012.perspektivbredband.net Linux 2.4/2.6
Received: from [85.235.23.12] ([85.235.23.12:41174] helo=mail.ter.dk)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 90/BD-31937-E620D454 for <internals@lists.php.net>; Sat, 04 Nov 2006 16:13:21 -0500
Received: from workpenguin (workpenguin [192.168.1.32])
	by mail.ter.dk (Kaffemaskine) with SMTP id 500A18A40D3;
	Sat,  4 Nov 2006 22:13:12 +0100 (CET)
To: rasmus@lerdorf.com (Rasmus Lerdorf)
Cc: <internals@lists.php.net>
Date: Sat, 04 Nov 2006 22:12:56 +0100
Message-ID: <aqvpk2df25h8lc2s6326i8igoh20uj6q1v@4ax.com>
References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com>
In-Reply-To: <454CFAA1.10104@lerdorf.com>
X-Mailer: Forte Agent 1.91/32.564
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Subject: Re: [PHP-DEV] allow_url_include and php:/data:
From: penguin@php.net (Peter Brodersen)

On Sat, 04 Nov 2006 12:40:01 -0800, in php.internals
rasmus@lerdorf.com (Rasmus Lerdorf) wrote:

>Yeah, we probably should.  Had a chat with Wez about it too.  Here is
>the patch.  I think this catches the cases we are interested in:
>
>  http://lerdorf.com/php/is_url.diff
>
>If someone could doublecheck it against those attacks it would be =
helpful.


Would requests to a smbserver, e.g.
\\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It
seems like smbserver requests are regarded as part of the default
filesystem wrapper.

--=20
- Peter Brodersen