Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26342 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 99653 invoked by uid 1010); 5 Nov 2006 16:08:19 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 99638 invoked from network); 5 Nov 2006 16:08:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Nov 2006 16:08:19 -0000 Authentication-Results: pb1.pair.com header.from=iliaal@gmail.com; sender-id=pass; domainkeys=good Authentication-Results: pb1.pair.com smtp.mail=iliaal@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.162.207 as permitted sender) DomainKey-Status: good X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: iliaal@gmail.com X-Host-Fingerprint: 64.233.162.207 nz-out-0102.google.com Linux 2.4/2.6 Received: from [64.233.162.207] ([64.233.162.207:6265] helo=nz-out-0102.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F6/A2-10980-07C0E454 for ; Sun, 05 Nov 2006 11:08:18 -0500 Received: by nz-out-0102.google.com with SMTP id o1so662227nzf for ; Sun, 05 Nov 2006 08:08:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender; b=SYPL4i1GjugBoWo6kwNhAhyUBfIyGrXd+x+MXTy8JfLZBmXE/xzLfRKkUoe8kaoiPDX+N75OXfAnZhewkh5BY1TRT+hTBWo+9S+fL658ZdbAu7By4WaJdtaqCZGFNhgu0PgGqaPdrWCD8kqhbHh+1cEJnuZoHk5AMDikZoHnMXU= Received: by 10.65.185.13 with SMTP id m13mr4015272qbp.1162742894395; Sun, 05 Nov 2006 08:08:14 -0800 (PST) Received: from ?192.168.1.6? ( [74.108.69.82]) by mx.google.com with ESMTP id e17sm5306268qbe.2006.11.05.08.08.13; Sun, 05 Nov 2006 08:08:14 -0800 (PST) In-Reply-To: References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com> Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-ID: <1EA6BEDC-ED17-4FE7-BDB1-B5E5C4FC4BFB@prohost.org> Cc: rasmus@lerdorf.com (Rasmus Lerdorf), Content-Transfer-Encoding: 7bit Date: Sun, 5 Nov 2006 11:08:05 -0500 To: Peter Brodersen X-Mailer: Apple Mail (2.752.3) Sender: Ilia Alshanetsky Subject: Re: [PHP-DEV] allow_url_include and php:/data: From: ilia@prohost.org (Ilia Alshanetsky) I think it'd be wrong to consider networked file system as non-local. Mostly because many times there are no ways to identify them reliable and the fact this is a perfectly valid usage that if disallowed by default would break a large number of applications. On 4-Nov-06, at 4:12 PM, Peter Brodersen wrote: > On Sat, 04 Nov 2006 12:40:01 -0800, in php.internals > rasmus@lerdorf.com (Rasmus Lerdorf) wrote: > >> Yeah, we probably should. Had a chat with Wez about it too. Here is >> the patch. I think this catches the cases we are interested in: >> >> http://lerdorf.com/php/is_url.diff >> >> If someone could doublecheck it against those attacks it would be >> helpful. > > > Would requests to a smbserver, e.g. > \\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It > seems like smbserver requests are regarded as part of the default > filesystem wrapper. > > -- > - Peter Brodersen > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Ilia Alshanetsky