Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29517 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 61363 invoked by uid 1010); 18 May 2007 15:51:57 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 61348 invoked from network); 18 May 2007 15:51:57 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 May 2007 15:51:57 -0000 Authentication-Results: pb1.pair.com smtp.mail=greg@chiaraquartet.net; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=greg@chiaraquartet.net; sender-id=unknown Received-SPF: error (pb1.pair.com: domain chiaraquartet.net from 66.79.163.178 cause and error) X-PHP-List-Original-Sender: greg@chiaraquartet.net X-Host-Fingerprint: 66.79.163.178 bluga.net Linux 2.5 (sometimes 2.4) (4) Received: from [66.79.163.178] ([66.79.163.178:33025] helo=mail.bluga.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id AF/90-48082-B9BCD464 for ; Fri, 18 May 2007 11:51:57 -0400 Received: from mail.bluga.net (mail.bluga.net [127.0.0.1]) by mail.bluga.net (Postfix) with ESMTP id 41F0B8740E for ; Fri, 18 May 2007 08:53:24 -0700 (PDT) Received: from [10.20.109.107] (unknown [166.216.123.186]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.bluga.net (Postfix) with ESMTP id 04B3C87361 for ; Fri, 18 May 2007 08:53:20 -0700 (PDT) Message-ID: <464DCB8C.90803@chiaraquartet.net> Date: Fri, 18 May 2007 10:51:40 -0500 User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: php-dev X-Enigmail-Version: 0.94.1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP Subject: potential solution to user streams + allow_url_include=off From: greg@chiaraquartet.net (Greg Beaver) Hi, I think I have a solution that would allow user streams in PHP 6 and still satisfy paranoid hosters. First, let me clarify what I see as the assumed problem, so that if I have missed something, you will correct my assumption: My assumption: ============== The point of allow_url_include/allow_url_fopen is to prevent stupid remote execution vulnerabilities like: allow_url_(include|fopen) is not intended to prevent users from accessing remote sites, as it is still possible through fsockopen() and other methods to access the outside world. A firewall is the only way to truly prevent access to the outside world. Note that the stream wrapper file:// is a local stream wrapper. Remote stream wrappers access the outside world such as http:// ftp:// and gopher:// The problem: ============ Because there is no way to be sure that a userspace stream is not remote, all userspace streams are marked as remote and so allow_url_(include|fopen) applies to them. As such, because allow_url_(include|fopen) are disabled by default in PHP 6, this will effectively kill userspace streams for anything but niche usage. The solution: ============= Add a new function: stream_wrapper_set_local() This function would be used to mark a registered user stream wrapper as being local, which would allow it to be used. It would not affect internal stream wrappers. Why would this be any different? The point of the allow_* options is to make it more difficult to write insecure code. This would still apply, as a user would have to explicitly register a stream wrapper as being local. This way, our example code: would still fail on all the wrappers it should fail on. The malicious use of a userspace stream wrapper that is remote would still fail unless the user explicitly marked it as local. Paranoid hosters could simply put stream_wrapper_set_local() into the disable_functions option. Comments? Greg