Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27432
Return-Path: <sesser@hardened-php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 64701 invoked by uid 1010); 13 Jan 2007 17:46:15 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 64686 invoked from network); 13 Jan 2007 17:46:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 13 Jan 2007 17:46:15 -0000
Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.146.189 cause and error)
X-PHP-List-Original-Sender: sesser@hardened-php.net
X-Host-Fingerprint: 81.169.146.189 mo-p07-ob.rzone.de Solaris 10 (beta)
Received: from [81.169.146.189] ([81.169.146.189:12302] helo=mo-p07-ob.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 2D/32-47651-1EA19A54 for <internals@lists.php.net>; Sat, 13 Jan 2007 12:46:10 -0500
Received: from [192.168.1.77]	(p5B00646D.dip.t-dialin.net [91.0.100.109])
	by post.webmailer.de (mrclete mo36) (RZmta 3.11)	with ESMTP
	id j0DCbxaH00284F;	Sat, 13 Jan 2007 18:46:06 +0100 (MET)
Date: Sat, 13 Jan 2007 18:46:06 +0100 (MET)
Message-ID: <45A91AE0.2070407@hardened-php.net>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: Marcus Boerger <helly@php.net>
CC: Ilia Alshanetsky <ilia@prohost.org>,  Rasmus Lerdorf <rasmus@lerdorf.com>,
 "internals@lists.php.net" <internals@lists.php.net>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info>
 <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com>
 <45A91002.8020607@hardened-php.net>
 <526994769.20070113181330@marcus-boerger.de>
 <C9C07D55-09C8-4E9E-82C6-F8B3FE5F7BFB@prohost.org>
 <904174835.20070113183221@marcus-boerger.de>
In-Reply-To: <904174835.20070113183221@marcus-boerger.de>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Comments on PHP security
From: sesser@hardened-php.net (Stefan Esser)

My 2cents,

the actually best would be to completely forbid the usage of URLs inside
include/require and
introduce a new keyword: include_url that works like the current include
would work and
rename allow_url_include into allow_dangerous_urls (for include_url only).

Basically this would protect everyone from URL includes with no way
around and if someone
really really wants this dangerous feature he has to explicitly request
it via include_url.

Stefan Esser