Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26328 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 96976 invoked by uid 1010); 4 Nov 2006 22:08:48 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 96961 invoked from network); 4 Nov 2006 22:08:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 4 Nov 2006 22:08:48 -0000 Authentication-Results: pb1.pair.com header.from=nlopess@php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=nlopess@php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain php.net from 212.55.154.25 cause and error) X-PHP-List-Original-Sender: nlopess@php.net X-Host-Fingerprint: 212.55.154.25 relay5.ptmail.sapo.pt Linux 2.4/2.6 Received: from [212.55.154.25] ([212.55.154.25:40158] helo=sapo.pt) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id C8/8E-31937-E6F0D454 for ; Sat, 04 Nov 2006 17:08:48 -0500 Received: (qmail 23790 invoked from network); 4 Nov 2006 22:08:44 -0000 Received: from unknown (HELO sapo.pt) (10.134.35.210) by relay6 with SMTP; 4 Nov 2006 22:08:44 -0000 Received: (qmail 30755 invoked from network); 4 Nov 2006 22:08:43 -0000 X-AntiVirus: PTMail-AV 0.3-0.88.4 X-Virus-Status: Clean (0.01212 seconds) Received: from unknown (HELO pc07653) (nunoplopes@sapo.pt@[82.155.72.228]) (envelope-sender ) by mta15 (qmail-ldap-1.03) with SMTP for ; 4 Nov 2006 22:08:43 -0000 Message-ID: <002801c7005d$caf21610$0100a8c0@pc07653> To: "Stanislav Malyshev" , "'PHP Internals'" Cc: , "Peter Brodersen" References: <454C5E50.4030108@zend.com> Date: Sat, 4 Nov 2006 22:08:43 -0000 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=response Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2869 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962 Subject: Re: [PHP-DEV] allow_url_include and php:/data: From: nlopess@php.net ("Nuno Lopes") > Stefan Esser writes here: > http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html > > that allow_url_include (and allow_url_fopen) can be easily worked around - > i.e. extrenally-supplied code executed on server - by using php: and > data: URLs. I think if we want allow_url_include have any value than we > should fix it... What do you think? I don't usually intervene in discussions nor rudenesses here, but this time I felt I had to write this.. I'm pretty tired and reading such pathetic posts is frustrating.. Well in first place I think Stefan should define in which side he is. He pretends to be a PHP developer, but he doesn't act as one, as it posted a message in his blog saying that a product that he supposedly helps to make is insecure.. This is not really ethical, IMHO. If he found some problem (security related or not), the first thing he would have to do was to warn the PHP team (or fix it directly), not to release a public advisory, nor an exploit, nor a slashdot/digg/... post, nor whatever.. But yes, I agree with Ramus' patch. > Would requests to a smbserver, e.g. > \\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It > seems like smbserver requests are regarded as part of the default > filesystem wrapper. Well, this is a windows only problem. open_basedir will block it, but probably it won't be blocked by anything else as it is handled as a local file by the OS. However, we can/should also think in this problem. Nuno