Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26337 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 90796 invoked by uid 1010); 5 Nov 2006 07:55:15 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 90781 invoked from network); 5 Nov 2006 07:55:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Nov 2006 07:55:15 -0000 Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.146.188 cause and error) X-PHP-List-Original-Sender: sesser@hardened-php.net X-Host-Fingerprint: 81.169.146.188 mo-p07-ob.rzone.de Solaris 10 (beta) Received: from [81.169.146.188] ([81.169.146.188:14341] helo=mo-p07-ob.rzone.de) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 94/00-24806-0E89D454 for ; Sun, 05 Nov 2006 02:55:14 -0500 Received: from [192.168.1.77] by mo-p07-ob.rzone.de (RZmta 2.4) with ESMTP id iA4LB5xK05275Q; Sun, 5 Nov 2006 08:55:03 +0100 (MET) Date: Sun, 5 Nov 2006 08:55:03 +0100 (MET) Message-ID: <454D98D7.1060407@hardened-php.net> User-Agent: Thunderbird 1.5.0.7 (Windows/20060909) MIME-Version: 1.0 To: Nuno Lopes CC: Stanislav Malyshev , 'PHP Internals' , Peter Brodersen References: <454C5E50.4030108@zend.com> <002801c7005d$caf21610$0100a8c0@pc07653> <454D1410.6010700@hardened-php.net> <000f01c70064$c989f660$0100a8c0@pc07653> In-Reply-To: <000f01c70064$c989f660$0100a8c0@pc07653> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] allow_url_include and php:/data: From: sesser@hardened-php.net (Stefan Esser) Hi Nuno, > > I was already expecting this kind of answer from you, but you clearly > don't know me. > The previous e-mail wasn't a personal attack nor an attack to your > business, nor I was doing any type of propaganda against you. Calling my actions unethical and my posts pathetic is kinda a personal attack in the real world. > I didn't know that, really. But in theory I'm also a PHP developer > (although not very active) and I didn't receive any information about > that. > So, I don't know who knew that. But if the security team was aware of > that, I present my excuses to you. The fact that allow_url_fopen does not affect php://input was not only brought up by me before but is actively used by skript kiddies for years. And I really don't like to repeat myself 1000 times. When I brought this up the response I got was: "Yeah whatever. Stopping a few URLs is better than stopping none." > > If people doesn't know the facts, just explain the things to them > nicely. No violence is needed, IMHO. Well PHP developers discuss on IRC how to kill me best by shooting me in my back. I am just answering in the same tone. Stefan