Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29530 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32979 invoked by uid 1010); 19 May 2007 01:13:51 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 32964 invoked from network); 19 May 2007 01:13:51 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 May 2007 01:13:51 -0000 Authentication-Results: pb1.pair.com header.from=judas.iscariote@gmail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=judas.iscariote@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.82.235 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: judas.iscariote@gmail.com X-Host-Fingerprint: 66.249.82.235 wx-out-0506.google.com Linux 2.4/2.6 Received: from [66.249.82.235] ([66.249.82.235:29582] helo=wx-out-0506.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id CA/7B-00717-E4F4E464 for ; Fri, 18 May 2007 21:13:51 -0400 Received: by wx-out-0506.google.com with SMTP id i31so650446wxd for ; Fri, 18 May 2007 18:13:47 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=mGsT+/L99RnPejJsf1YAxDIvuIjTGl+H9Qr6yErpP24JUPFmOMz39PiGNi7Oyk48AwFhMSJhRQ3asZZVvsQvfZcpr8Bh3qAB1kLCSwBVmTEv/U1O3y0h63EKKwbXK+iG16dFz1AaqWrLTZxLobO2PhfXzHJzncXatcn3TSfjaY4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZIX0HaSNb21C3RTZjteOLo2v4qI6WdTvsi9G2PgW9dHPMH2DpXVEEL09TO0GsTbS+BDdqfxURfWp1PV40On09/bKfT4EeO7PFBLVr9FgOBFdD1wcFyKMk15wFs5P2AVQtTrdcV8YeBUwctGfbbhI+LuZxPl/8u2EOb2YXo5afjk= Received: by 10.70.77.2 with SMTP id z2mr3405722wxa.1179537227909; Fri, 18 May 2007 18:13:47 -0700 (PDT) Received: by 10.70.95.13 with HTTP; Fri, 18 May 2007 18:13:47 -0700 (PDT) Message-ID: <7d5a202f0705181813l221248cdu85197a82a1ee4227@mail.gmail.com> Date: Fri, 18 May 2007 21:13:47 -0400 To: internals@lists.php.net In-Reply-To: <464DCB8C.90803@chiaraquartet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464DCB8C.90803@chiaraquartet.net> Subject: Re: [PHP-DEV] potential solution to user streams + allow_url_include=off From: judas.iscariote@gmail.com ("Cristian Rodriguez") 2007/5/18, Greg Beaver : > Hi, > > I think I have a solution that would allow user streams in PHP 6 and > still satisfy paranoid hosters. s/paranoid/sane/g > as it is still possible through fsockopen() and > other methods to access the outside world. with a "tiny" :) difference, remote connections fsockopen() and friends will not parse and interprate PHP code directly unless the user eval() it..:) > A firewall is the only way > to truly prevent access to the outside world. yes, agree, but the remote "include" feature just make unintentional mistakes easy, if you look real life code that uses the url_include thingy.. in the 99% they meant readfile() ..ohh but what about fopen + eval ? well in that case the user will **always** want to eval() **explicitely** and there is nothing that PHP can do to avoid that stupiduty..