Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:27511
Return-Path: <helly@php.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 34664 invoked by uid 1010); 17 Jan 2007 21:48:44 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 34649 invoked from network); 17 Jan 2007 21:48:44 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 17 Jan 2007 21:48:44 -0000
Authentication-Results: pb1.pair.com smtp.mail=helly@php.net; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=helly@php.net; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain php.net from 81.169.182.136 cause and error)
X-PHP-List-Original-Sender: helly@php.net
X-Host-Fingerprint: 81.169.182.136 ajaxatwork.net Linux 2.4/2.6
Received: from [81.169.182.136] ([81.169.182.136:45094] helo=strato.aixcept.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A1/A1-11755-BB99EA54 for <internals@lists.php.net>; Wed, 17 Jan 2007 16:48:44 -0500
Received: from baumbart.mbo (dslb-084-063-054-139.pools.arcor-ip.net [84.63.54.139])
	(using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by strato.aixcept.de (Postfix) with ESMTP id 078DE35C1D8;
	Wed, 17 Jan 2007 22:48:40 +0100 (CET)
Date: Wed, 17 Jan 2007 22:48:50 +0100
Reply-To: Marcus Boerger <helly@php.net>
X-Priority: 3 (Normal)
Message-ID: <188833714.20070117224850@marcus-boerger.de>
To: Ilia Alshanetsky <ilia@prohost.org>
Cc: Sara Golemon <pollita@php.net>, internals@lists.php.net
In-Reply-To: <5821E0F2-6E5D-434E-B49B-A46E6FE0E8C4@prohost.org>
References: <45AD76C3.5030303@php.net> <5821E0F2-6E5D-434E-B49B-A46E6FE0E8C4@prohost.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] allow_url_fopen / allow_url_include and fine grained control
From: helly@php.net (Marcus Boerger)

Hello Ilia,

Wednesday, January 17, 2007, 3:09:15 PM, you wrote:

> On 16-Jan-07, at 8:07 PM, Sara Golemon wrote:

>> allow_url_include has been bashed lately for being "not good  
>> enough", and there is a kernel of truth to that, though where the  
>> ultimate blame falls if of course a touchy subject.

> Not really, I mean is it so difficult to expect the extension writer  
> to know that if they are working with remote streams that they should  
> set is_url to 1 rather then 0.

Well these are two different things. One is a naming issue, where the
name of a structure member is more than misleading. On the other hand
we have the INI setting which currently only allows to chose between
all and nothing. That means, if you need to enable one of the external
url handlers then you are forced to allow them all and by that lowering
your security settings.

Sara's patch now gives a much better control. Regardless of whether
extension writers read the docu or not. However we might wantto rename
the structure member.

[...]

Best regards,
 Marcus