Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26347 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 9087 invoked by uid 1010); 5 Nov 2006 16:38:16 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 9072 invoked from network); 5 Nov 2006 16:38:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Nov 2006 16:38:16 -0000 Authentication-Results: pb1.pair.com header.from=penguin@php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=penguin@php.net; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain php.net from 85.235.23.12 cause and error) X-PHP-List-Original-Sender: penguin@php.net X-Host-Fingerprint: 85.235.23.12 kbhn-vbrg-sr0-vl207-012.perspektivbredband.net Linux 2.4/2.6 Received: from [85.235.23.12] ([85.235.23.12:45556] helo=mail.ter.dk) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 5A/04-10980-5731E454 for ; Sun, 05 Nov 2006 11:38:14 -0500 Received: from workpenguin (workpenguin [192.168.1.32]) by mail.ter.dk (Kaffemaskine) with SMTP id 73EC88A400E; Sun, 5 Nov 2006 17:38:11 +0100 (CET) To: kingwez@gmail.com ("Wez Furlong") Cc: "Ilia Alshanetsky" , "Rasmus Lerdorf" , internals@lists.php.net Date: Sun, 05 Nov 2006 17:37:53 +0100 Message-ID: <164sk2pq9c6spfu094dkfsjme7l5susr58@4ax.com> References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com> <1EA6BEDC-ED17-4FE7-BDB1-B5E5C4FC4BFB@prohost.org> <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com> In-Reply-To: <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com> X-Mailer: Forte Agent 1.91/32.564 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] allow_url_include and php:/data: From: penguin@php.net (Peter Brodersen) Hi, At first I didn't think there would be an easy solution as it isn't possible to distinguish between requests to a "local" SMB server and an "outside" server. Both are network requests. But on the other hand, requesting a file specific via network protocols in PHP such as SMB or HTTP or FTP really shouldn't be any different. One is asking PHP to perform the network operation to fetch a foreign resource. The key is that administrators would be able to map the needed SMB servers as local devices (just as one would mount a NFS share or for that sake make an FTP mount) thorugh the operating/file system. In that case requesting e.g. Z:\file.txt though a device on a SMB server share (or a NFS share or a FTP share or ...) would be perfectly fine. In that case it would be the operating/file system that is performing the network operation (based on central server administration) and not some random PHP code (possibly based on user input). Of course, those rare cases where one would actually need to fetch files through arbitrary external hosts through PHP one could just turn on allow_url_include.=20 On Sun, 5 Nov 2006 08:13:18 -0800, in php.internals kingwez@gmail.com ("Wez Furlong") wrote: >I think it's a fair assumption that a random host specified in that >way be treated as suspicious and lumped in under the >disable-includes-by-default category. > >If someone discovers that it breaks their app, when they read the docs >for allow_url_include it should be made very clear what the >implications are and what should be done prior to turning it on. > >So i have no problem with disallowing includes for paths beginning >with a double backslash on windows, when allow_url_include is >disabled. > >--Wez. > > >On 11/5/06, Ilia Alshanetsky wrote: >> I think it'd be wrong to consider networked file system as non-local. >> Mostly because many times there are no ways to identify them reliable >> and the fact this is a perfectly valid usage that if disallowed by >> default would break a large number of applications. >> >> >> On 4-Nov-06, at 4:12 PM, Peter Brodersen wrote: >> >> > On Sat, 04 Nov 2006 12:40:01 -0800, in php.internals >> > rasmus@lerdorf.com (Rasmus Lerdorf) wrote: >> > >> >> Yeah, we probably should. Had a chat with Wez about it too. Here = is >> >> the patch. I think this catches the cases we are interested in: >> >> >> >> http://lerdorf.com/php/is_url.diff >> >> >> >> If someone could doublecheck it against those attacks it would be >> >> helpful. >> > >> > >> > Would requests to a smbserver, e.g. >> > \\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It >> > seems like smbserver requests are regarded as part of the default >> > filesystem wrapper. >> > >> > -- >> > - Peter Brodersen >> > >> > -- >> > PHP Internals - PHP Runtime Development Mailing List >> > To unsubscribe, visit: http://www.php.net/unsub.php >> > >> > >> >> Ilia Alshanetsky >> >> -- >> PHP Internals - PHP Runtime Development Mailing List >> To unsubscribe, visit: http://www.php.net/unsub.php >> >> --=20 - Peter Brodersen