Newsgroups: php.internals,php.internals
Path: news.php.net
Xref: news.php.net php.internals:27506 php.internals:27507
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14102 invoked by uid 1010); 17 Jan 2007 18:02:03 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 14087 invoked from network); 17 Jan 2007 18:02:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jan 2007 18:02:03 -0000
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4)
Received: from [212.25.124.162] ([212.25.124.162:50592] helo=mail.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D7/40-11755-A946EA54 for <internals@lists.php.net>; Wed, 17 Jan 2007 13:02:03 -0500
Received: (qmail 29433 invoked from network); 17 Jan 2007 17:53:40 -0000
Received: from stas-laptop.zend.office (HELO ?127.0.0.1?) (192.168.16.126)
  by internal.zend.office with SMTP; 17 Jan 2007 17:53:40 -0000
Message-ID: <45AE62FE.2040805@zend.com>
Date: Wed, 17 Jan 2007 09:55:10 -0800
Organization: Zend Technologies
User-Agent: Thunderbird 2.0b1 (Windows/20061206)
MIME-Version: 1.0
To: Alain Williams <addw@phcomp.co.uk>
CC: Arnold Daniels <info@adaniels.nl>, Greg Beaver <cellog@php.net>, 
 Stefan Esser <sesser@hardened-php.net>,
 Marcus Boerger <helly@php.net>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <F1076B95-2D05-4690-AE84-21FC0552F17A@ch2o.info> <45A8FC49.7050909@hardened-php.net> <45A90809.3050008@lerdorf.com> <45A91002.8020607@hardened-php.net> <526994769.20070113181330@marcus-boerger.de> <Pine.LNX.4.64.0701141301180.32133@mail.zend.com> <45AA116F.7020109@hardened-php.net> <Pine.LNX.4.64.0701141436460.16363@mail.zend.com> <45AA961D.4090401@php.net> <45AD63A1.2040206@adaniels.nl> <20070117084600.GA19933@mint.phcomp.co.uk>
In-Reply-To: <20070117084600.GA19933@mint.phcomp.co.uk>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Comments on PHP security
From: stas@zend.com (Stanislav Malyshev)

>> fopen($file, 'r') and fopen($url, 'ru') and fopen('php://output', 'ru').

What about all other function using streams that do not have fopen 
arguments? The whole idea of streams was for the things to work 
transparently with all functions, if it were only about fopen there were 
no reason to do streams...

>> To my opinion, using '*://' streams is an advanced feature. Developers
>> who are using that, should be able to make sure no urls are opened.

Again, all streams exist for that. And if we attempt to restrict local 
developer (which IMO we should not, but _if_ we do) then we can't rely 
on him at the same time.
-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/