Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26364 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 49517 invoked by uid 1010); 5 Nov 2006 18:25:58 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 49502 invoked from network); 5 Nov 2006 18:25:58 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 5 Nov 2006 18:25:58 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.5 (sometimes 2.4) (4) Received: from [204.11.219.139] ([204.11.219.139:52116] helo=lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AA/9A-10980-5BC2E454 for ; Sun, 05 Nov 2006 13:25:58 -0500 Received: from [192.168.200.104] (c-67-169-43-97.hsd1.ca.comcast.net [67.169.43.97]) (authenticated bits=0) by lerdorf.com (8.13.8/8.13.8/Debian-2) with ESMTP id kA5IPmuT018299; Sun, 5 Nov 2006 10:25:49 -0800 Message-ID: <454E2CAC.9030804@lerdorf.com> Date: Sun, 05 Nov 2006 10:25:48 -0800 User-Agent: Thunderbird 1.5.0.7 (Macintosh/20060909) MIME-Version: 1.0 To: Ilia Alshanetsky CC: Peter Brodersen , internals@lists.php.net, Wez Furlong References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com> <1EA6BEDC-ED17-4FE7-BDB1-B5E5C4FC4BFB@prohost.org> <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com> <2D1DBDC4-F023-43D1-8A9E-BAB953504BCB@prohost.org> <0936D8A3-72A3-4BD9-8394-AA0BC2193F56@prohost.org> <454E1BC0.5070009@lerdorf.com> <05D85086-60D2-4C9F-92FD-E4B5F6D5B486@prohost.org> In-Reply-To: <05D85086-60D2-4C9F-92FD-E4B5F6D5B486@prohost.org> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] allow_url_include and php:/data: From: rasmus@lerdorf.com (Rasmus Lerdorf) Ilia Alshanetsky wrote: > > On 5-Nov-06, at 12:13 PM, Rasmus Lerdorf wrote: >> The exact same argument could me made for a localhost >> http or ftp include which we also disallow. > > For http allowing localhost access is dangerous simply because the > person could make the script request itself making a very nasty request > loop that will instantly result in a denial of service that requires > nothing short of a web server restart to resolve. I still think disallowing anything that in any way looks like it could be a remote include, even if under the covers it isn't, is what we should be doing here when allow_url_include is disabled. The chance of false positives doesn't change anything. -Rasmus