Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27429 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 56764 invoked by uid 1010); 13 Jan 2007 17:22:41 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 56749 invoked from network); 13 Jan 2007 17:22:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 13 Jan 2007 17:22:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=ilia@prohost.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ilia@prohost.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain prohost.org from 64.233.184.235 cause and error) X-PHP-List-Original-Sender: ilia@prohost.org X-Host-Fingerprint: 64.233.184.235 wr-out-0506.google.com Linux 2.4/2.6 Received: from [64.233.184.235] ([64.233.184.235:46533] helo=wr-out-0506.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 85/01-47651-06519A54 for ; Sat, 13 Jan 2007 12:22:41 -0500 Received: by wr-out-0506.google.com with SMTP id 68so828798wri for ; Sat, 13 Jan 2007 09:22:38 -0800 (PST) Received: by 10.65.159.2 with SMTP id l2mr2663325qbo.1168708958055; Sat, 13 Jan 2007 09:22:38 -0800 (PST) Received: from ?192.168.1.6? ( [74.108.69.82]) by mx.google.com with ESMTP id p4sm3182722qba.2007.01.13.09.22.37; Sat, 13 Jan 2007 09:22:37 -0800 (PST) In-Reply-To: <526994769.20070113181330@marcus-boerger.de> References: <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> Mime-Version: 1.0 (Apple Message framework v752.3) X-Priority: 3 (Normal) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-ID: Cc: Stefan Esser , Rasmus Lerdorf , "internals@lists.php.net" Content-Transfer-Encoding: 7bit Date: Sat, 13 Jan 2007 12:22:33 -0500 To: Marcus Boerger X-Mailer: Apple Mail (2.752.3) Subject: Re: [PHP-DEV] Comments on PHP security From: ilia@prohost.org (Ilia Alshanetsky) Marcus, You want to use an INI setting to specify which streams are local and which are remote? That seems like a recipe for disaster to me, people adjusting this setting many not consider some streams that are remote etc... leading to security holes. There is really no reason why PHP could not effectively use flags internally to identify the difference between the two sources of streams. Ultimately it'll always fall to the extension writer, same as with open_basedir, which author can choose to bypass if they so choose to. The main issue here is I think is that is_url flag is new and there are many extensions providing remote wrapper that have been written prior to its addition and therefor do not have a proper setting in place, which may have been added in a hurry to solve a compilation failure. On 13-Jan-07, at 12:13 PM, Marcus Boerger wrote: > Hello Stefan, > > i also think something should be done here. The is_url flag does not > really help. What we imho need is an ini setting that allows > specifying > which stream handlers to allow. And that should not include user > streams. > > best regards > marcus Ilia Alshanetsky