Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27438
Return-Path: <helly@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 15225 invoked by uid 1010); 14 Jan 2007 11:15:57 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 15210 invoked from network); 14 Jan 2007 11:15:57 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Jan 2007 11:15:57 -0000
Authentication-Results: pb1.pair.com smtp.mail=helly@php.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=helly@php.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain php.net from 81.169.182.136 cause and error)
X-PHP-List-Original-Sender: helly@php.net
X-Host-Fingerprint: 81.169.182.136 ajaxatwork.net Linux 2.4/2.6
Received: from [81.169.182.136] ([81.169.182.136:44527] helo=strato.aixcept.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 37/18-20730-CE01AA54 for <internals@lists.php.net>; Sun, 14 Jan 2007 06:15:57 -0500
Received: from baumbart.mbo (dslb-084-063-060-082.pools.arcor-ip.net [84.63.60.82])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by strato.aixcept.de (Postfix) with ESMTP id 33BBA35C1CD;
	Sun, 14 Jan 2007 12:15:54 +0100 (CET)
Date: Sun, 14 Jan 2007 12:15:55 +0100
Reply-To: Marcus Boerger <helly@php.net>
X-Priority: 3 (Normal)
Message-ID: <1068954964.20070114121555@marcus-boerger.de>
To: Stanislav Malyshev <stas@zend.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <Pine.LNX.4.64.0701141301180.32133@mail.zend.com>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info> <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> <Pine.LNX.4.64.0701141301180.32133@mail.zend.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Comments on PHP security
From: helly@php.net (Marcus Boerger)

Hello Stanislav,

  I always have control of what I program. I alwayshavecontrol of whichfiles
I load. Ergo there is no security issue - WOW.

best regards
marcus

Sunday, January 14, 2007, 12:03:04 PM, you wrote:

MB>>>  i also think something should be done here. The is_url flag does not 
MB>>>really help. What we imho need is an ini setting that allows 
MB>>>specifying which stream handlers to allow. And that should not include 
MB>>>user streams.

> I don't see how user streams have anything to do with it - if you can 
> define user stream, you also can run any code you wanted to run through a 
> stream directly. If you have control over execution engine, you can run 
> any code, stream or not stream. 




Best regards,
 Marcus