Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:39795 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 95035 invoked from network); 9 Aug 2008 11:35:27 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 9 Aug 2008 11:35:27 -0000 Authentication-Results: pb1.pair.com smtp.mail=stefan.esser@sektioneins.de; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=stefan.esser@sektioneins.de; sender-id=unknown Received-SPF: error (pb1.pair.com: domain sektioneins.de from 85.214.103.31 cause and error) X-PHP-List-Original-Sender: stefan.esser@sektioneins.de X-Host-Fingerprint: 85.214.103.31 h1332034.stratoserver.net Linux 2.6 Received: from [85.214.103.31] ([85.214.103.31:3653] helo=h1332034.stratoserver.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 92/6C-02575-AF08D984 for ; Sat, 09 Aug 2008 07:35:23 -0400 Received: from Very-Black-Mac.local (cable-87-78-193-159.netcologne.de [87.78.193.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by h1332034.stratoserver.net (Postfix) with ESMTP id C9389A243B4; Sat, 9 Aug 2008 13:30:50 +0200 (CEST) Message-ID: <489D811D.6090401@sektioneins.de> Date: Sat, 09 Aug 2008 13:35:57 +0200 User-Agent: Thunderbird 2.0.0.16 (Macintosh/20080707) MIME-Version: 1.0 To: Dmitry Stogov CC: internals@lists.php.net References: <4899C4B4.3060902@liip.ch> <1218138548.5346.3.camel@felipe> <489B5285.1070000@lerdorf.com> <200808072237.01841.arnaud.lb@gmail.com> <7f3ed2c30808080011l3c62d416k7fd9b4dd455df99e@mail.gmail.com> <489C6BBA.8030101@zend.com> In-Reply-To: <489C6BBA.8030101@zend.com> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] include bug in 5.3 From: stefan.esser@sektioneins.de (Stefan Esser) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Dmitry, while you are at fixing realpath() it might be a good idea to fix the ../ nonsense. What I mean is: fopen("this_is_not_a_dir_but_a_file/../../../../../../../../etc/passwd", "r"); works because of realpath() and PHP's wrapper. Same for fopen("this_is_not_existing/../../../../../../../../etc/passwd", "r"); Both is madness... Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEUEARECAAYFAkidgR0ACgkQSuF5XhWr2nhovACXZpeATBITDai/M1wsCuavuZ3C OgCgn46uM4XHwENW7si4aJzeNgnuTKg= =QiYy -----END PGP SIGNATURE-----