Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27440
Return-Path: <sesser@hardened-php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 18539 invoked by uid 1010); 14 Jan 2007 11:23:24 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 18524 invoked from network); 14 Jan 2007 11:23:24 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Jan 2007 11:23:24 -0000
Authentication-Results: pb1.pair.com smtp.mail=sesser@hardened-php.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=sesser@hardened-php.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain hardened-php.net from 81.169.146.188 cause and error)
X-PHP-List-Original-Sender: sesser@hardened-php.net
X-Host-Fingerprint: 81.169.146.188 mo-p07-ob.rzone.de Solaris 10 (beta)
Received: from [81.169.146.188] ([81.169.146.188:35293] helo=mo-p07-ob.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 76/A8-20730-CA21AA54 for <internals@lists.php.net>; Sun, 14 Jan 2007 06:23:24 -0500
Received: from [192.168.1.77]	(p5B005BC6.dip.t-dialin.net [91.0.91.198])
	by post.webmailer.de (klopstock mo13) (RZmta 3.11)	with ESMTP
	id j0E9oGdR00217A;	Sun, 14 Jan 2007 12:23:20 +0100 (MET)
Date: Sun, 14 Jan 2007 12:23:20 +0100 (MET)
Message-ID: <45AA12AB.40404@hardened-php.net>
User-Agent: Thunderbird 1.5.0.9 (Windows/20061207)
MIME-Version: 1.0
To: Greg Beaver <cellog@php.net>
CC: Marcus Boerger <helly@php.net>, Ilia Alshanetsky <ilia@prohost.org>,
  Rasmus Lerdorf <rasmus@lerdorf.com>, "internals@lists.php.net"
 <internals@lists.php.net>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info>
 <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com>
 <45A91002.8020607@hardened-php.net>
 <526994769.20070113181330@marcus-boerger.de>
 <C9C07D55-09C8-4E9E-82C6-F8B3FE5F7BFB@prohost.org>
 <904174835.20070113183221@marcus-boerger.de>
 <45A91AE0.2070407@hardened-php.net> <45A9B012.3000903@php.net>
In-Reply-To: <45A9B012.3000903@php.net>
X-Enigmail-Version: 0.94.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Comments on PHP security
From: sesser@hardened-php.net (Stefan Esser)

Greg,

i was not talking about providing all the different versions of include.

For me it is a broken application design to include anything out of an
URL wrapper.
However it would also be fine to just have allow_url_include affect all
URLs and to be
setable by ini_set() and be turned off by default.

Insane applications can then turn it on/off for every REMOTE URL they need.
Aside from that there could be a setting for the admin to completely
disallow URLs marked as is_URL.

Stefan Esser