Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:26381 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 47101 invoked by uid 1010); 6 Nov 2006 12:23:26 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 47086 invoked from network); 6 Nov 2006 12:23:26 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Nov 2006 12:23:26 -0000 Authentication-Results: pb1.pair.com smtp.mail=tomsommer@php.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=tomsommer@php.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain php.net from 194.192.14.150 cause and error) X-PHP-List-Original-Sender: tomsommer@php.net X-Host-Fingerprint: 194.192.14.150 palantir.dreamcoder.dk Linux 2.5 (sometimes 2.4) (4) Received: from [194.192.14.150] ([194.192.14.150:47564] helo=tsn.dk) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 47/21-34853-C392F454 for ; Mon, 06 Nov 2006 07:23:24 -0500 Received: from localhost (palantir.dreamcoder.dk [127.0.0.1]) by tsn.dk (Postfix) with ESMTP id B397F29941; Mon, 6 Nov 2006 13:23:20 +0100 (CET) X-Virus-Scanned-By: one.tsn.dk Received: from tsn.dk ([127.0.0.1]) by localhost (palantir.dreamcoder.dk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J6lwxPTiNJbi; Mon, 6 Nov 2006 13:23:13 +0100 (CET) Received: from webmail.tomsommer.dk (palantir.dreamcoder.dk [127.0.0.1]) by tsn.dk (Postfix) with ESMTP id A290C2993A; Mon, 6 Nov 2006 13:23:12 +0100 (CET) Received: from 62.242.67.218 (SquirrelMail authenticated user ts@dreamcoder.dk) by webmail.dreamcoder.dk with HTTP; Mon, 6 Nov 2006 13:23:12 +0100 (CET) Message-ID: <32244.62.242.67.218.1162815792.squirrel@webmail.dreamcoder.dk> In-Reply-To: <10845a340611060055q10748249t66d63c9f53a23f7d@mail.gmail.com> References: <454C5E50.4030108@zend.com> <454CFAA1.10104@lerdorf.com> <1EA6BEDC-ED17-4FE7-BDB1-B5E5C4FC4BFB@prohost.org> <4e89b4260611050813x42dc16fq74fc6ee240a0038d@mail.gmail.com> <164sk2pq9c6spfu094dkfsjme7l5susr58@4ax.com> <10845a340611060055q10748249t66d63c9f53a23f7d@mail.gmail.com> Date: Mon, 6 Nov 2006 13:23:12 +0100 (CET) To: RQuadling@GoogleMail.com Cc: "Peter Brodersen" , "\"Wez Furlong\"" , "Ilia Alshanetsky" , "Rasmus Lerdorf" , internals@lists.php.net User-Agent: SquirrelMail/1.5.2 [CVS] MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] allow_url_include and php:/data: From: tomsommer@php.net ("Tom Sommer") On Mon, November 6, 2006 09:55, Richard Quadling wrote: > I develop solely on and for our Windows network. I regularly use > includes on 2 different servers via \\ rather than a mapped drive. > > I can see that adding \\ to the list of restrictions would be an issue > for me. > > But also, it is a trivial ini update to remove the problem. And it > DOES make PHP more secure. > > > So, +1 to add \\ to the list of restrictions. > > > Not so sure it would be as easy for shared host ISPs on Windows to fix > this though. This seems to be more of a network setup issue, rather than a PHP issue. If you haven't blocked access to remote SMB servers in your network, you are asking for trouble. If you have a rogue SMB box or mount on your network, PHP is the least of your problems. You can pretty much guarantee that if people are including URLs, they are either asking for trouble or looking for it. Blocking network mounts seems to be too much of an edge case for it to be included as a feature in allow_url_include, as it might have valid uses while URLs does not. You could add a allow_remote_include option, but that would require another INI option, and those aren't so popular :) My two cents // Tom