Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27431
Return-Path: <helly@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 60327 invoked by uid 1010); 13 Jan 2007 17:32:24 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 60312 invoked from network); 13 Jan 2007 17:32:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Jan 2007 17:32:24 -0000
Authentication-Results: pb1.pair.com header.from=helly@php.net; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=helly@php.net; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain php.net from 81.169.182.136 cause and error)
X-PHP-List-Original-Sender: helly@php.net
X-Host-Fingerprint: 81.169.182.136 ajaxatwork.net Linux 2.4/2.6
Received: from [81.169.182.136] ([81.169.182.136:44171] helo=strato.aixcept.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F7/81-47651-8A719A54 for <internals@lists.php.net>; Sat, 13 Jan 2007 12:32:24 -0500
Received: from baumbart.mbo (dslb-084-063-060-082.pools.arcor-ip.net [84.63.60.82])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by strato.aixcept.de (Postfix) with ESMTP id BF16D35C201;
	Sat, 13 Jan 2007 18:32:21 +0100 (CET)
Date: Sat, 13 Jan 2007 18:32:21 +0100
Reply-To: Marcus Boerger <helly@php.net>
X-Priority: 3 (Normal)
Message-ID: <904174835.20070113183221@marcus-boerger.de>
To: Ilia Alshanetsky <ilia@prohost.org>
Cc: Stefan Esser <sesser@hardened-php.net>,
	Rasmus Lerdorf <rasmus@lerdorf.com>,
	"internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <C9C07D55-09C8-4E9E-82C6-F8B3FE5F7BFB@prohost.org>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info> <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> <C9C07D55-09C8-4E9E-82C6-F8B3FE5F7BFB@prohost.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Comments on PHP security
From: helly@php.net (Marcus Boerger)

Hello Ilia,

  what i wanted it a SYSTEM INI setting that allows which streams work
exactly. As opposedto being able to select between all and none while
hoping that the switch works (for the reasons you specified).

best regards
marcus

Saturday, January 13, 2007, 6:22:33 PM, you wrote:

> Marcus,

> You want to use an INI setting to specify which streams are local and  
> which are remote? That seems like a recipe for disaster to me, people  
> adjusting this setting many not consider some streams that are remote  
> etc... leading to security holes. There is really no reason why PHP  
> could not effectively use flags internally to identify the difference  
> between the two sources of streams. Ultimately it'll always fall to  
> the extension writer, same as with open_basedir, which author can  
> choose to bypass if they so choose to.

> The main issue here is I think is that is_url flag is new and there  
> are many extensions providing remote wrapper that have been written  
> prior to its addition and therefor do not have a proper setting in  
> place, which may have been added in a hurry to solve a compilation  
> failure.

> On 13-Jan-07, at 12:13 PM, Marcus Boerger wrote:

>> Hello Stefan,
>>
>>   i also think something should be done here. The is_url flag does not
>> really help. What we imho need is an ini setting that allows  
>> specifying
>> which stream handlers to allow. And that should not include user  
>> streams.
>>
>> best regards
>> marcus

> Ilia Alshanetsky




Best regards,
 Marcus