Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:36640 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 55430 invoked from network); 28 Mar 2008 11:00:16 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 28 Mar 2008 11:00:16 -0000 Authentication-Results: pb1.pair.com header.from=helly@php.net; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=helly@php.net; spf=unknown; sender-id=unknown Received-SPF: unknown (pb1.pair.com: domain php.net does not designate 85.214.94.56 as permitted sender) X-PHP-List-Original-Sender: helly@php.net X-Host-Fingerprint: 85.214.94.56 aixcept.net Linux 2.6 Received: from [85.214.94.56] ([85.214.94.56:34218] helo=h1149922.serverkompetenz.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E8/55-25926-EBFCCE74 for ; Fri, 28 Mar 2008 06:00:15 -0500 Received: from dhcp-172-28-202-230.zrh.corp.google.com (unknown [193.142.125.1]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by h1149922.serverkompetenz.net (Postfix) with ESMTP id 2646411F045; Fri, 28 Mar 2008 12:00:11 +0100 (CET) Date: Fri, 28 Mar 2008 12:00:10 +0100 Reply-To: Marcus Boerger X-Priority: 3 (Normal) Message-ID: <331809707.20080328120010@marcus-boerger.de> To: "Pierre Joye" CC: "Gregory Beaver" , "Stanislav Malyshev" , "Dmitry Stogov" , "Stefan Walk" , , "Marcus Boerger" In-Reply-To: References: <47E2F8FA.20107@chiaraquartet.net> <47E7FEFD.8080504@chiaraquartet.net> <47E800F1.5090101@zend.com> <200803251613.20245.et@php.net> <47E91898.5050503@zend.com> <47E92D3B.7010500@chiaraquartet.net> <47E930C0.6000201@zend.com> <47E94C24.2030400@chiaraquartet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] REMINDER - stream wrappers in include_path From: helly@php.net (Marcus Boerger) Hello Pierre, that sounds like a good idea. Let's provide a generic solution for this. marcus Friday, March 28, 2008, 11:03:46 AM, you wrote: > Hi, > On Tue, Mar 25, 2008 at 8:01 PM, Gregory Beaver wrote: >> Stanislav Malyshev wrote: >> >> stream wrapper. Here is an example: >> >> >> >> oops.broken://UNC/path >> > >> > I wonder if .://UNC/path is treated as "."+//UNC/path (and the same >> > for ..). It should anyway :) However I'm not too worried without >> > pathes like foo.bar - not likely to have path without any slashes >> > unless it's . or .., and if you do, you always can say ./foo.bar >> > >> That's a great question. In attempting to answer, I think I may have >> unfortunately found a severe flaw in the patch, allowing reading past >> the end of the filename and the include_path. >> >> If we pass a file named "hello:" to php_resolve_path, this code: >> >> if ((*p == ':') && (p - filename > 1) && (p[1] == '/') && (p[2] == '/')) { > A little notice about this test. It is present in many places in our > code base, it is very difficult to actually fix or improve it without > introducing side effects on a platform or in a specific case. I > discussed this test with Dmitry two weeks ago, it would rock to have > it in a is_url function and manage all specificities there (or in more > functions in required). > One case that has to be managed (can be done later) is the Netware > paths, volumes name can be larger than one later on this platform > (myvolume: for example). #43353 is a case where the problem occurs. > I did not test the patch but it would be nice to do this change at the > same time, it will certainly make our work easier in the future. > Cheers, > -- > Pierre > http://blog.thepimp.net | http://www.libgd.org Best regards, Marcus