Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26351
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 21424 invoked by uid 1010); 5 Nov 2006 17:13:46 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 21408 invoked from network); 5 Nov 2006 17:13:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Nov 2006 17:13:46 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.5 (sometimes 2.4) (4)
Received: from [204.11.219.139] ([204.11.219.139:37250] helo=lerdorf.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F9/75-10980-7CB1E454 for <internals@lists.php.net>; Sun, 05 Nov 2006 12:13:45 -0500
Received: from [192.168.200.104] (c-67-169-43-97.hsd1.ca.comcast.net [67.169.43.97])
	(authenticated bits=0)
	by lerdorf.com (8.13.8/8.13.8/Debian-2) with ESMTP id kA5HDaRc009666;
	Sun, 5 Nov 2006 09:13:37 -0800
Message-ID: <454E1BC0.5070009@lerdorf.com>
Date: Sun, 05 Nov 2006 09:13:36 -0800
User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909)
MIME-Version: 1.0
To: Ilia Alshanetsky <ilia@prohost.org>
CC: Peter Brodersen <penguin@php.net>, internals@lists.php.net,
        Wez Furlong <kingwez@gmail.com>
References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com> <aqvpk2df25h8lc2s6326i8igoh20uj6q1v@4ax.com> <1EA6BEDC-ED17-4FE7-BDB1-B5E5C4FC4BFB@prohost.org> <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com> <2D1DBDC4-F023-43D1-8A9E-BAB953504BCB@prohost.org> <ps4sk2lcrq4eqmcm3o23bh3q1piko4qsl4@4ax.com> <0936D8A3-72A3-4BD9-8394-AA0BC2193F56@prohost.org>
In-Reply-To: <0936D8A3-72A3-4BD9-8394-AA0BC2193F56@prohost.org>
X-Enigmail-Version: 0.94.1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] allow_url_include and php:/data:
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Ilia Alshanetsky wrote:
> What's to say /drive/smb or letter:// is not an SMB device? Also why
> break perfectly valid applications that perform operations on networked
> file systems?

We are only talking about marking them as is_url which doesn't have
anything to do with performing normal operations on networked
filesystems.  How many real apps rely on being able to execute code via
an smb include?  The exact same argument could me made for a localhost
http or ftp include which we also disallow.  The fact that someone can
map a remote machine to a local drive actually means that they can make
sure their app works because then they have pre-configured which hosts
are valid hosts for this use.  If a bad guy can mount remote filesystems
onto your server, then you have bigger problems.

-Rasmus