Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27437
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 11149 invoked by uid 1010); 14 Jan 2007 11:04:46 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 11134 invoked from network); 14 Jan 2007 11:04:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Jan 2007 11:04:46 -0000
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4)
Received: from [212.25.124.162] ([212.25.124.162:56620] helo=mail.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B7/A7-20730-C4E0AA54 for <internals@lists.php.net>; Sun, 14 Jan 2007 06:04:46 -0500
Received: (qmail 2382 invoked from network); 14 Jan 2007 11:03:04 -0000
Received: from internal.zend.office (HELO mail.zend.com) (10.1.1.1)
  by internal.zend.office with SMTP; 14 Jan 2007 11:03:04 -0000
Date: Sun, 14 Jan 2007 13:03:04 +0200 (IST)
X-X-Sender: frodo@mail.zend.com
To: Marcus Boerger <helly@php.net>
cc: "internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <526994769.20070113181330@marcus-boerger.de>
Message-ID: <Pine.LNX.4.64.0701141301180.32133@mail.zend.com>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info>
 <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com>
 <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] Comments on PHP security
From: stas@zend.com (Stanislav Malyshev)

MB>>  i also think something should be done here. The is_url flag does not 
MB>>really help. What we imho need is an ini setting that allows 
MB>>specifying which stream handlers to allow. And that should not include 
MB>>user streams.

I don't see how user streams have anything to do with it - if you can 
define user stream, you also can run any code you wanted to run through a 
stream directly. If you have control over execution engine, you can run 
any code, stream or not stream. 

-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/