Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27362
Return-Path: <pierre.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 52782 invoked by uid 1010); 11 Jan 2007 16:14:14 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 52766 invoked from network); 11 Jan 2007 16:14:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Jan 2007 16:14:13 -0000
Authentication-Results: pb1.pair.com smtp.mail=pierre.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=pierre.php@gmail.com; sender-id=pass; domainkeys=bad
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.170 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: pierre.php@gmail.com
X-Host-Fingerprint: 66.249.92.170 ug-out-1314.google.com Linux 2.4/2.6
Received: from [66.249.92.170] ([66.249.92.170:24328] helo=ug-out-1314.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2C/A1-42349-45266A54 for <internals@lists.php.net>; Thu, 11 Jan 2007 11:14:13 -0500
Received: by ug-out-1314.google.com with SMTP id o4so518311uge
        for <internals@lists.php.net>; Thu, 11 Jan 2007 08:14:06 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=FyRzidKlZkmGRjiXnWuyYfqFdS6KquX+HrMt5FAyD+yMAhi80VI198BaIUXy28tefpi0vKpF4CTvKeVmc1r7iuKv+DDhbevJ/+VvYW2jjA6rCtKPR3DDbGLaHsTvgabY7GOue6hleF8ovkAWusF75gm0IGy/Lwco3FW9vY3vB0M=
Received: by 10.78.204.1 with SMTP id b1mr538429hug.1168532046171;
        Thu, 11 Jan 2007 08:14:06 -0800 (PST)
Received: by 10.78.122.5 with HTTP; Thu, 11 Jan 2007 08:14:06 -0800 (PST)
Message-ID: <fe05d1540701110814u3f8de1ber4329d9c9c2a6e201@mail.gmail.com>
Date: Thu, 11 Jan 2007 17:14:06 +0100
To: "Stefan Esser" <sesser@hardened-php.net>
Cc: "Rasmus Lerdorf" <rasmus@lerdorf.com>, "Alain Williams" <addw@phcomp.co.uk>, 
	internals@lists.php.net, kel@securityfocus.com
In-Reply-To: <45A6600D.1090500@hardened-php.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <20070111144144.GV15998@mint.phcomp.co.uk>
	 <45A65B19.40900@lerdorf.com> <45A6600D.1090500@hardened-php.net>
Subject: Re: [PHP-DEV] Comments on PHP security
From: pierre.php@gmail.com (Pierre)

Hello Stefan,

On 1/11/07, Stefan Esser <sesser@hardened-php.net> wrote:
> Hello Rasmus,
> > There are some concrete suggestions in the article that we addressed a
> > while ago.  Things like:
> >
> >   "I'd like to see new defaults that limit include() and require() to
> >    only allow local files, thereby avoiding remote file injection."
> >
> > That's the default in PHP 5.2.0 which was released over 2 months ago now.
> >
> This is not true. It was demonstrated several times that the
> "protection" is easily bypassed by using data:// or php://input URLs.
> Maybe this is fixed in PHP 5.2.1 but it is not in 5.2.0. And it
> certainly is no protection at all when someone can just use one of the
> other URL wrappers of PHP that are considered safe and put in an
> overlong URL that produces a stack overflow. (Hello zip://)

For your information, zip is not enabled by default. If you have a
bug/issue about the specific zip:// URL, please let me know. Ilia and
Tony already fixed some paths fixes and the fixes are available in
zip-1.8.4. They will be in 5.2.1.

--Pierre