Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26352
Return-Path: <iliaal@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 23062 invoked by uid 1010); 5 Nov 2006 17:23:12 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 23047 invoked from network); 5 Nov 2006 17:23:12 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Nov 2006 17:23:12 -0000
Authentication-Results: pb1.pair.com header.from=iliaal@gmail.com; sender-id=pass; domainkeys=good
Authentication-Results: pb1.pair.com smtp.mail=iliaal@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.162.206 as permitted sender)
DomainKey-Status: good
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: iliaal@gmail.com
X-Host-Fingerprint: 64.233.162.206 nz-out-0102.google.com Linux 2.4/2.6
Received: from [64.233.162.206] ([64.233.162.206:18220] helo=nz-out-0102.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 79/C5-10980-EFD1E454 for <internals@lists.php.net>; Sun, 05 Nov 2006 12:23:10 -0500
Received: by nz-out-0102.google.com with SMTP id o1so670768nzf
        for <internals@lists.php.net>; Sun, 05 Nov 2006 09:23:08 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender;
        b=Fe9dVYNuyqHwzBKmphoe/V2PuVQZsZC/y0/xg7yAS24pp7eTtilI0I3nSuVt459SSG6bVdvYDNoTBUZwN7FYC99UhgnVpMS2Q9xQ1bKSDv8iruO6ktm11icvIgrYApd/0LA3vmEY9K74Hw55np/XdKsFeUV9O/sbwZHVEHmaoHA=
Received: by 10.65.211.1 with SMTP id n1mr4053359qbq.1162747388205;
        Sun, 05 Nov 2006 09:23:08 -0800 (PST)
Received: from ?192.168.1.6? ( [74.108.69.82])
        by mx.google.com with ESMTP id f12sm5289766qba.2006.11.05.09.23.07;
        Sun, 05 Nov 2006 09:23:07 -0800 (PST)
In-Reply-To: <454E1BC0.5070009@lerdorf.com>
References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com> <aqvpk2df25h8lc2s6326i8igoh20uj6q1v@4ax.com> <1EA6BEDC-ED17-4FE7-BDB1-B5E5C4FC4BFB@prohost.org> <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com> <2D1DBDC4-F023-43D1-8A9E-BAB953504BCB@prohost.org> <ps4sk2lcrq4eqmcm3o23bh3q1piko4qsl4@4ax.com> <0936D8A3-72A3-4BD9-8394-AA0BC2193F56@prohost.org> <454E1BC0.5070009@lerdorf.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <ABC3FCF9-48EA-4A72-B106-259AFE8B7347@prohost.org>
Cc: Peter Brodersen <penguin@php.net>,
 internals@lists.php.net,
 Wez Furlong <kingwez@gmail.com>
Content-Transfer-Encoding: 7bit
Date: Sun, 5 Nov 2006 12:22:59 -0500
To: Rasmus Lerdorf <rasmus@lerdorf.com>
X-Mailer: Apple Mail (2.752.3)
Sender: Ilia Alshanetsky <iliaal@gmail.com>
Subject: Re: [PHP-DEV] allow_url_include and php:/data:
From: ilia@prohost.org (Ilia Alshanetsky)


On 5-Nov-06, at 12:13 PM, Rasmus Lerdorf wrote:

> Ilia Alshanetsky wrote:
>> What's to say /drive/smb or letter:// is not an SMB device? Also why
>> break perfectly valid applications that perform operations on  
>> networked
>> file systems?
>
> We are only talking about marking them as is_url which doesn't have
> anything to do with performing normal operations on networked
> filesystems.  How many real apps rely on being able to execute code  
> via
> an smb include?

Quite a few since many "real apps" will happily install on an SMB  
share in a linux or windows environment. While this is an uncommon  
practice on linux I've seen this done many times in the Windows  
environment. In linux I have seen this date frequently for backup  
purposes (managed by PHP app) where php would create a backup and  
write it to the storage machine via SMB. Quite a few big hosters now  
offer access to SAN via SMB for backup purposes.

> The exact same argument could me made for a localhost
> http or ftp include which we also disallow.  The fact that someone can
> map a remote machine to a local drive actually means that they can  
> make
> sure their app works because then they have pre-configured which hosts
> are valid hosts for this use.

Not all users can mount the smb system due to permission restrictions  
or simple lack of knowhow on how to do that. While latter can be  
solved, solving the former is quite a bit trickier.

Ilia Alshanetsky