Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27505 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 316 invoked by uid 1010); 17 Jan 2007 14:51:15 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 301 invoked from network); 17 Jan 2007 14:51:15 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 17 Jan 2007 14:51:15 -0000 Authentication-Results: pb1.pair.com header.from=jochem@iamjochem.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=jochem@iamjochem.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain iamjochem.com from 194.109.193.121 cause and error) X-PHP-List-Original-Sender: jochem@iamjochem.com X-Host-Fingerprint: 194.109.193.121 mx1.moulin.nl Linux 2.6 Received: from [194.109.193.121] ([194.109.193.121:39796] helo=mx1.moulin.nl) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6C/03-13410-1E73EA54 for ; Wed, 17 Jan 2007 09:51:14 -0500 Received: from localhost (localhost [127.0.0.1]) by mx1.moulin.nl (Postfix) with ESMTP id 5AA982466DE; Wed, 17 Jan 2007 15:51:16 +0100 (CET) X-Virus-Scanned: amavisd-new at moulin.nl Received: from mx1.moulin.nl ([127.0.0.1]) by localhost (mx1.moulin.nl [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id krh9OKIWGdB0; Wed, 17 Jan 2007 15:51:09 +0100 (CET) Received: from [192.168.1.102] (bspr.xs4all.nl [194.109.161.228]) by mx1.moulin.nl (Postfix) with ESMTP id 983F22448AD; Wed, 17 Jan 2007 15:51:09 +0100 (CET) Message-ID: <45AE37D7.5010405@iamjochem.com> Date: Wed, 17 Jan 2007 15:51:03 +0100 User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Ilia Alshanetsky CC: Sara Golemon , internals@lists.php.net References: <45AD76C3.5030303@php.net> <5821E0F2-6E5D-434E-B49B-A46E6FE0E8C4@prohost.org> In-Reply-To: <5821E0F2-6E5D-434E-B49B-A46E6FE0E8C4@prohost.org> X-Enigmail-Version: 0.94.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] allow_url_fopen / allow_url_include and fine grained control From: jochem@iamjochem.com (Jochem Maas) Ilia Alshanetsky wrote: > > On 16-Jan-07, at 8:07 PM, Sara Golemon wrote: > >> allow_url_include has been bashed lately for being "not good enough", >> and there is a kernel of truth to that, though where the ultimate >> blame falls if of course a touchy subject. > > Not really, I mean is it so difficult to expect the extension writer to > know that if they are working with remote streams that they should set > is_url to 1 rather then 0. > >> So rather than continue the fight over who's shoulders the job of >> security should fall on, how about the attached patch which puts a >> little more power in the hands of the user/site-admin to control what >> can be treated as a url include, and how it can be treated that way. > > I do not think that this is a good idea. Controlling security settings > via INI is just a recipe for disaster and will only lead to problem due > to poor configuration choices. Basically you are moving the "blame" from > extension writers that provide stream wrappers (fairly limited group) > onto a far larger group of users. what what it's worth, my opinion (as a member of the 'larger group of users'): as an end user I'd rather have the control myself and be the one to blame, than be at the 'mercy' of extension writers - where I have little to no idea if an extension behaves or not (and if not if/when it might be corrected). I see no reason to think that hosting providers & or packages would think any differently ... unless their lazy and enjoy passing the buck all the time. this does presume that good documentation and best-practice recommendations are available. rgds, Jochem (php village idiot by profession)