Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26357
Return-Path: <iliaal@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 35246 invoked by uid 1010); 5 Nov 2006 18:02:42 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 35231 invoked from network); 5 Nov 2006 18:02:42 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Nov 2006 18:02:42 -0000
Authentication-Results: pb1.pair.com header.from=iliaal@gmail.com; sender-id=pass; domainkeys=good
Authentication-Results: pb1.pair.com smtp.mail=iliaal@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.162.201 as permitted sender)
DomainKey-Status: good
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: iliaal@gmail.com
X-Host-Fingerprint: 64.233.162.201 nz-out-0102.google.com Linux 2.4/2.6
Received: from [64.233.162.201] ([64.233.162.201:17490] helo=nz-out-0102.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F7/E7-10980-0472E454 for <internals@lists.php.net>; Sun, 05 Nov 2006 13:02:41 -0500
Received: by nz-out-0102.google.com with SMTP id o1so675272nzf
        for <internals@lists.php.net>; Sun, 05 Nov 2006 10:02:38 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:in-reply-to:references:mime-version:content-type:message-id:cc:content-transfer-encoding:from:subject:date:to:x-mailer:sender;
        b=YO+mOK5YRWGq5KQBnVeIOSJwgrm7PB4+ZBb3tYiU0Q9zae+oTdJ+bWJ28YUEK9+v5iVhvyi60bn9RCwwJQ+KfE7oz5VR/DhfJRgv2ulciGN99k6WDzvXnYWH2w7lpQkS97H9ySSxsztK/bEdrjIV1mSG0bWl7pjCeRrJabaCUgs=
Received: by 10.65.213.13 with SMTP id p13mr4087943qbq.1162749758231;
        Sun, 05 Nov 2006 10:02:38 -0800 (PST)
Received: from ?192.168.1.6? ( [74.108.69.82])
        by mx.google.com with ESMTP id e13sm5398055qbe.2006.11.05.10.02.37;
        Sun, 05 Nov 2006 10:02:37 -0800 (PST)
In-Reply-To: <454E1BC0.5070009@lerdorf.com>
References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com> <aqvpk2df25h8lc2s6326i8igoh20uj6q1v@4ax.com> <1EA6BEDC-ED17-4FE7-BDB1-B5E5C4FC4BFB@prohost.org> <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com> <2D1DBDC4-F023-43D1-8A9E-BAB953504BCB@prohost.org> <ps4sk2lcrq4eqmcm3o23bh3q1piko4qsl4@4ax.com> <0936D8A3-72A3-4BD9-8394-AA0BC2193F56@prohost.org> <454E1BC0.5070009@lerdorf.com>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <05D85086-60D2-4C9F-92FD-E4B5F6D5B486@prohost.org>
Cc: Peter Brodersen <penguin@php.net>,
 internals@lists.php.net,
 Wez Furlong <kingwez@gmail.com>
Content-Transfer-Encoding: 7bit
Date: Sun, 5 Nov 2006 13:02:24 -0500
To: Rasmus Lerdorf <rasmus@lerdorf.com>
X-Mailer: Apple Mail (2.752.3)
Sender: Ilia Alshanetsky <iliaal@gmail.com>
Subject: Re: [PHP-DEV] allow_url_include and php:/data:
From: ilia@prohost.org (Ilia Alshanetsky)


On 5-Nov-06, at 12:13 PM, Rasmus Lerdorf wrote:
> The exact same argument could me made for a localhost
> http or ftp include which we also disallow.

For http allowing localhost access is dangerous simply because the  
person could make the script request itself making a very nasty  
request loop that will instantly result in a denial of service that  
requires nothing short of a web server restart to resolve.

Ilia Alshanetsky