Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:26363
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46809 invoked by uid 1010); 5 Nov 2006 18:22:17 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 46794 invoked from network); 5 Nov 2006 18:22:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 5 Nov 2006 18:22:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4)
Received: from [212.25.124.162] ([212.25.124.162:59937] helo=mail.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 81/1A-10980-6DB2E454 for <internals@lists.php.net>; Sun, 05 Nov 2006 13:22:17 -0500
Received: (qmail 21233 invoked from network); 5 Nov 2006 18:20:47 -0000
Received: from unknown (HELO ?127.0.0.1?) (192.168.2.101)
  by internal.zend.office with SMTP; 5 Nov 2006 18:20:47 -0000
Message-ID: <454E2BD4.6080601@zend.com>
Date: Sun, 05 Nov 2006 10:22:12 -0800
Organization: Zend Technologies
User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
MIME-Version: 1.0
To:  internals@lists.php.net
References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com> <aqvpk2df25h8lc2s6326i8igoh20uj6q1v@4ax.com> <1EA6BEDC-ED17-4FE7-BDB1-B5E5C4FC4BFB@prohost.org> <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com> <2D1DBDC4-F023-43D1-8A9E-BAB953504BCB@prohost.org> <ps4sk2lcrq4eqmcm3o23bh3q1piko4qsl4@4ax.com> <0936D8A3-72A3-4BD9-8394-AA0BC2193F56@prohost.org>
In-Reply-To: <0936D8A3-72A3-4BD9-8394-AA0BC2193F56@prohost.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] allow_url_include and php:/data:
From: stas@zend.com (Stanislav Malyshev)

Ilia Alshanetsky wrote:
> What's to say /drive/smb or letter:// is not an SMB device? Also why 
> break perfectly valid applications that perform operations on networked 
> file systems?

Well, it's the same as asking why break valid apps that perform 
operations on URL. Because of security policy - i.e., if we choose to 
have security policy that disallows running code with non-local origin 
influenced by user data - we must do it full nine yards, not "we won't 
give it to you by http, but you are welcome to do it by smb". Now, if it 
would be not allowed by default by Windows (AFAIK it is allowed) or 
there's known way to restrict that from Windows (which I don't know of) 
- then we may defer this task to the OS, but if there's none, then I 
don't see how http here would differ from smb... If we say including 
file from http source is not OK, then why would including file from smb 
source ok?

-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/