Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26346
Return-Path: <iliaal@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 6222 invoked by uid 1010); 5 Nov 2006 16:23:16 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 6207 invoked from network); 5 Nov 2006 16:23:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Nov 2006 16:23:16 -0000
Authentication-Results: pb1.pair.com header.from=iliaal@gmail.com; sender-id=pass; domainkeys=good
Authentication-Results: pb1.pair.com smtp.mail=iliaal@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.162.192 as permitted sender)
DomainKey-Status: good
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: iliaal@gmail.com
X-Host-Fingerprint: 64.233.162.192 nz-out-0102.google.com Linux 2.4/2.6
Received: from [64.233.162.192] ([64.233.162.192:7891] helo=nz-out-0102.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 67/A3-10980-1FF0E454 for <internals@lists.php.net>; Sun, 05 Nov 2006 11:23:15 -0500
Received: by nz-out-0102.google.com with SMTP id o1so663973nzf
        for <internals@lists.php.net>; Sun, 05 Nov 2006 08:23:11 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender;
        b=K+boQ1zu0tJ0xryOnIVVjf3Vz8ggq8VkQyPBzF6EZrBDAA+GQ0jjB0ME50tgyXGP6dOZFAEZoX0H26wJ3G0jJIZeHDC1NU4enIxaVBIZFkb42TAaEuTu4PMDS7f8Ma5odWOsvX5DtAHWgG1tmdv52uXviI9Elq/nFaA4zO9DB3w=
Received: by 10.65.219.11 with SMTP id w11mr4000478qbq.1162743791302;
        Sun, 05 Nov 2006 08:23:11 -0800 (PST)
Received: from ?192.168.1.6? ( [74.108.69.82])
        by mx.google.com with ESMTP id e18sm5260921qba.2006.11.05.08.23.10;
        Sun, 05 Nov 2006 08:23:10 -0800 (PST)
In-Reply-To: <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com>
References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com> <aqvpk2df25h8lc2s6326i8igoh20uj6q1v@4ax.com> <1EA6BEDC-ED17-4FE7-BDB1-B5E5C4FC4BFB@prohost.org> <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <2D1DBDC4-F023-43D1-8A9E-BAB953504BCB@prohost.org>
Cc: "Peter Brodersen" <penguin@php.net>,
 "Rasmus Lerdorf" <rasmus@lerdorf.com>,
 internals@lists.php.net
Content-Transfer-Encoding: 7bit
Date: Sun, 5 Nov 2006 11:23:03 -0500
To: Wez Furlong <kingwez@gmail.com>
X-Mailer: Apple Mail (2.752.3)
Sender: Ilia Alshanetsky <iliaal@gmail.com>
Subject: Re: [PHP-DEV] allow_url_include and php:/data:
From: ilia@prohost.org (Ilia Alshanetsky)

On 5-Nov-06, at 11:13 AM, Wez Furlong wrote:

> I think it's a fair assumption that a random host specified in that
> way be treated as suspicious and lumped in under the
> disable-includes-by-default category.

What's random? Non localhost/127.0.0.1 ?



> If someone discovers that it breaks their app, when they read the docs
> for allow_url_include it should be made very clear what the
> implications are and what should be done prior to turning it on.
>
> So i have no problem with disallowing includes for paths beginning
> with a double backslash on windows, when allow_url_include is
> disabled.
>
> --Wez.
>
>
> On 11/5/06, Ilia Alshanetsky <ilia@prohost.org> wrote:
>> I think it'd be wrong to consider networked file system as non-local.
>> Mostly because many times there are no ways to identify them reliable
>> and the fact this is a perfectly valid usage that if disallowed by
>> default would break a large number of applications.
>>
>>
>> On 4-Nov-06, at 4:12 PM, Peter Brodersen wrote:
>>
>> > On Sat, 04 Nov 2006 12:40:01 -0800, in php.internals
>> > rasmus@lerdorf.com (Rasmus Lerdorf) wrote:
>> >
>> >> Yeah, we probably should.  Had a chat with Wez about it too.   
>> Here is
>> >> the patch.  I think this catches the cases we are interested in:
>> >>
>> >>  http://lerdorf.com/php/is_url.diff
>> >>
>> >> If someone could doublecheck it against those attacks it would be
>> >> helpful.
>> >
>> >
>> > Would requests to a smbserver, e.g.
>> > \\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It
>> > seems like smbserver requests are regarded as part of the default
>> > filesystem wrapper.
>> >
>> > --
>> > - Peter Brodersen
>> >
>> > --
>> > PHP Internals - PHP Runtime Development Mailing List
>> > To unsubscribe, visit: http://www.php.net/unsub.php
>> >
>> >
>>
>> Ilia Alshanetsky
>>
>> --
>> PHP Internals - PHP Runtime Development Mailing List
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>

Ilia Alshanetsky