Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29944
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 61610 invoked by uid 1010); 30 May 2007 08:16:03 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 61595 invoked from network); 30 May 2007 08:16:03 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 30 May 2007 08:16:03 -0000
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1
Received: from [63.205.162.114] ([63.205.162.114:30287] helo=us-ex1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 49/39-24960-1C23D564 for <internals@lists.php.net>; Wed, 30 May 2007 04:16:02 -0400
Received: from [127.0.0.1] ([192.168.17.74]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Wed, 30 May 2007 01:15:57 -0700
Message-ID: <465D32B8.5090204@zend.com>
Date: Wed, 30 May 2007 01:15:52 -0700
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: Marcus Boerger <helly@php.net>
CC: php-dev <internals@lists.php.net>
References: <464DCB8C.90803@chiaraquartet.net> <464DEF23.3080503@zend.com> <464DF139.6090405@zend.com> <464E1AA8.9050600@php.net> <465CC25E.9080309@zend.com> <133379979.20070530093024@marcus-boerger.de>
In-Reply-To: <133379979.20070530093024@marcus-boerger.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 30 May 2007 08:15:58.0370 (UTC) FILETIME=[C09BA820:01C7A292]
Subject: Re: [PHP-DEV] [PATCH] potential solution to user streams + allow_url_include=off
From: stas@zend.com (Stanislav Malyshev)

>   why then not have ini as follows:
> allow_url_(fopen|include)_(local|user|remote)
> That is 6 for the six cases - or is that too easy?

Because there's no need for 6 settings. Also, what 
allow_url_include_local is supposed to mean? Why would one prohibit 
local file access and local includes?

The whole idea of the patch is to make user streams behave more like 
built-in streams while ensuring that random mistakes in user stream 
implementation (such as forgetting to check if the URL is local) would 
not lead the stream to include remote code.
-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/