Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:27578 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 905 invoked by uid 1010); 22 Jan 2007 05:44:16 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 890 invoked from network); 22 Jan 2007 05:44:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 22 Jan 2007 05:44:16 -0000 Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:1288] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E7/D0-06092-E2F44B54 for ; Mon, 22 Jan 2007 00:44:15 -0500 Received: (qmail 10723 invoked by uid 98); 22 Jan 2007 05:44:19 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-1.25 (clamdscan: 0.88.7/2474. Clear:RC:1(127.0.0.1):. Processed in 0.079149 secs); 22 Jan 2007 05:44:19 -0000 X-Qmail-Scanner-Mail-From: ceo@l-i-e.com via o2.hostbaby.com X-Qmail-Scanner: 1.25 (Clear:RC:1(127.0.0.1):. Processed in 0.079149 secs) Received: from localhost (HELO www.l-i-e.com) (127.0.0.1) by localhost with SMTP; 22 Jan 2007 05:44:19 -0000 Received: from 209.254.223.2 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Sun, 21 Jan 2007 23:44:19 -0600 (CST) Message-ID: <62752.209.254.223.2.1169444659.squirrel@www.l-i-e.com> In-Reply-To: <45AD76C3.5030303@php.net> References: <45AD76C3.5030303@php.net> Date: Sun, 21 Jan 2007 23:44:19 -0600 (CST) To: "Sara Golemon" Cc: internals@lists.php.net Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] allow_url_fopen / allow_url_include and fine grained control From: ceo@l-i-e.com ("Richard Lynch") On Tue, January 16, 2007 7:07 pm, Sara Golemon wrote: > allow_url_fopen and allow_url_include continue to accept boolean flags > in order to behave just as they do now: true/on allows anything, > false/off allows only those wrappers without the is_url bit set. +1, fwiw. As far as the "user" being able to implement something otherwise dis-allowed... Well, yeah, they could. I'm not sure who would really turn off an internal wrapper, then turn on "user" then be upset that somebody coded a work-around for a blocked internal wrapper... I mean, that just seems like an unlikely real-world sequence of events, in any decent work-place... I suppose if it's the case of malicious code getting executed, there'd be a point, but really, once you have arbitrary malicious PHP code getting executed on your box, it's kind of moot if they can then download more PHP code to execute, isn't it?... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some starving artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?