Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29518
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Received-SPF: error (pb1.pair.com: domain prohost.org from 64.233.162.233 cause and error)
In-Reply-To: <464DCB8C.90803@chiaraquartet.net>
References: <464DCB8C.90803@chiaraquartet.net>
Mime-Version: 1.0 (Apple Message framework v752.3)
Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
Message-ID: <609ADB44-D9CB-4DCD-97E0-28416CEC4883@prohost.org>
Cc: php-dev <internals@lists.php.net>
Content-Transfer-Encoding: 7bit
Date: Fri, 18 May 2007 11:57:02 -0400
To: Greg Beaver <greg@chiaraquartet.net>
Subject: Re: [PHP-DEV] potential solution to user streams + allow_url_include=off
From: ilia@prohost.org (Ilia Alshanetsky)

I don't think this is a good idea. If you need to access external  
data use fsockopen or stream code or even cURL. Creating filters just  
to add bypasses for them seems silly to me.


On 18-May-07, at 11:51 AM, Greg Beaver wrote:

> Hi,
>
> I think I have a solution that would allow user streams in PHP 6 and
> still satisfy paranoid hosters.
>
> First, let me clarify what I see as the assumed problem, so that if I
> have missed something, you will correct my assumption:
>
> My assumption:
> ==============
> The point of allow_url_include/allow_url_fopen is to prevent stupid
> remote execution vulnerabilities like:
>
> <?php
> include $_GET['dumb'];
> ?>
>
> allow_url_(include|fopen) is not intended to prevent users from
> accessing remote sites, as it is still possible through fsockopen()  
> and
> other methods to access the outside world.  A firewall is the only way
> to truly prevent access to the outside world.
>
> Note that the stream wrapper file:// is a local stream wrapper.   
> Remote
> stream wrappers access the outside world such as http:// ftp:// and
> gopher://
>
> The problem:
> ============
> Because there is no way to be sure that a userspace stream is not
> remote, all userspace streams are marked as remote and so
> allow_url_(include|fopen) applies to them.  As such, because
> allow_url_(include|fopen) are disabled by default in PHP 6, this will
> effectively kill userspace streams for anything but niche usage.
>
> The solution:
> =============
> Add a new function: stream_wrapper_set_local()
>
> This function would be used to mark a registered user stream  
> wrapper as
> being local, which would allow it to be used.  It would not affect
> internal stream wrappers.
>
> Why would this be any different?  The point of the allow_* options  
> is to
> make it more difficult to write insecure code.  This would still  
> apply,
> as a user would have to explicitly register a stream wrapper as being
> local.  This way, our example code:
>
> <?php
> include $_GET['dumb'];
> ?>
>
> would still fail on all the wrappers it should fail on.  The malicious
> use of a userspace stream wrapper that is remote would still fail  
> unless
> the user explicitly marked it as local.
>
> Paranoid hosters could simply put stream_wrapper_set_local() into the
> disable_functions option.
>
> Comments?
>
> Greg
>
> -- 
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>

Ilia Alshanetsky