Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27442
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 51416 invoked by uid 1010); 14 Jan 2007 12:53:46 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 51401 invoked from network); 14 Jan 2007 12:53:46 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 14 Jan 2007 12:53:46 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4)
Received: from [212.25.124.162] ([212.25.124.162:57402] helo=mail.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 62/7B-20730-8D72AA54 for <internals@lists.php.net>; Sun, 14 Jan 2007 07:53:45 -0500
Received: (qmail 18358 invoked from network); 14 Jan 2007 12:52:05 -0000
Received: from internal.zend.office (HELO mail.zend.com) (10.1.1.1)
  by internal.zend.office with SMTP; 14 Jan 2007 12:52:05 -0000
Date: Sun, 14 Jan 2007 14:52:05 +0200 (IST)
X-X-Sender: frodo@mail.zend.com
To: Stefan Esser <sesser@hardened-php.net>
cc: Marcus Boerger <helly@php.net>, 
    "internals@lists.php.net" <internals@lists.php.net>
In-Reply-To: <45AA116F.7020109@hardened-php.net>
Message-ID: <Pine.LNX.4.64.0701141436460.16363@mail.zend.com>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info>
 <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com>
 <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de>
 <Pine.LNX.4.64.0701141301180.32133@mail.zend.com> <45AA116F.7020109@hardened-php.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Subject: Re: [PHP-DEV] Comments on PHP security
From: stas@zend.com (Stanislav Malyshev)

SE>>And If I am not completely mistaken here unlike php://filter a
SE>>userstream will not give the THIS_IS_AN_INCLUDE_FLAG down to a stream
SE>>itself opens.

I think I see what you mean now - i.e. that the user implementation might 
be tricked into opening URL for include even though direct opening URL for 
include is not allowed, and since it would do e.g. fopen, it may work 
around the allow_url_include.

I would say in most cases prohibiting anything but plain file wrapper for 
include might be OK, however I know about a number of instances of 
legitimate wrappers used for include - e.g. archive files like phar and 
there are other, custom solutions that I saw that use wrappers as base. 
Maybe it would be a good idea also to pass a flag to stream_open saying it 
is used for include - though it won't fix broken code of course.

-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/