Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29547 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 69249 invoked by uid 1010); 19 May 2007 09:42:42 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 69233 invoked from network); 19 May 2007 09:42:42 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 May 2007 09:42:42 -0000 Authentication-Results: pb1.pair.com smtp.mail=judas.iscariote@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=judas.iscariote@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.82.233 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: judas.iscariote@gmail.com X-Host-Fingerprint: 66.249.82.233 wx-out-0506.google.com Linux 2.4/2.6 Received: from [66.249.82.233] ([66.249.82.233:25291] helo=wx-out-0506.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6A/78-00717-296CE464 for ; Sat, 19 May 2007 05:42:42 -0400 Received: by wx-out-0506.google.com with SMTP id i31so722850wxd for ; Sat, 19 May 2007 02:42:40 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=j1XizkPnQ/lriayyr+oANN3WS9PdFveMYnSh1V/U4FZZ31e2bFK7UsV/GDVWSGGpVjFQxFn2mCUq3FYiwTy2C7Jg/gE7jMR4LyfWjFcfLkCVR9jRJ08l3dmr2WN7eAnQnR/6y19UuNKESaqXRLMnog/lQrODyYlJb6FTS0bq4e8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MNXzy3vGmOJS3uEi5W9nhbXaXb2sMzs96JhuACVfdG6LthwXnQHmE1G+7j8BXzu7BoCq7uyWTZvydghsHcbu370aEY0lMRqNoVgAeeZB+7P+V6C/q1JVe1ccDbLirXe+79FVTBseIj6k0hXeCY/Rf76JoeB1nqTn0z1nQJ0tbxY= Received: by 10.70.123.14 with SMTP id v14mr3892122wxc.1179567759975; Sat, 19 May 2007 02:42:39 -0700 (PDT) Received: by 10.70.95.13 with HTTP; Sat, 19 May 2007 02:42:39 -0700 (PDT) Message-ID: <7d5a202f0705190242haca6793i81564178f6d8ed21@mail.gmail.com> Date: Sat, 19 May 2007 05:42:39 -0400 To: internals@lists.php.net In-Reply-To: <464E5856.5000901@zend.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <464DCB8C.90803@chiaraquartet.net> <7d5a202f0705181813l221248cdu85197a82a1ee4227@mail.gmail.com> <464E5856.5000901@zend.com> Subject: Re: [PHP-DEV] potential solution to user streams + allow_url_include=off From: judas.iscariote@gmail.com ("Cristian Rodriguez") >2007/5/18, Stanislav Malyshev : > Sane hosters do not rely on general-purpose language to provide > security, they use OS and hardware designed for exactly that purpose. ;) unfortunately hosters has to equilibrate security vs/usability for their customers.. so disaloowing 100% access to outside world is frecuently not possible. The issue with this remote url include thingy is that is hard to find a valid use case ..does anyone has a **real** one ? why it was introduced in the first place..?? no, Im not talking about crippling the language for security reasons as some may argue..my point is this "feature" in the reality causes far more harm than good and it has become one of the top ways to attack applications since it's introduction..my intention is only to make people think if the hassle of adding new ini directives (like allow_url_include) or functions is worth. maybe with PHP6 this issue can be addressed from it's roots instead of adding yet another workaround. my $2.