Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:39861 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 1730 invoked from network); 12 Aug 2008 07:21:36 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 12 Aug 2008 07:21:36 -0000 Authentication-Results: pb1.pair.com smtp.mail=hannes.magnusson@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=hannes.magnusson@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 72.14.220.158 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: hannes.magnusson@gmail.com X-Host-Fingerprint: 72.14.220.158 fg-out-1718.google.com Received: from [72.14.220.158] ([72.14.220.158:59361] helo=fg-out-1718.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EA/34-04075-FF931A84 for ; Tue, 12 Aug 2008 03:21:35 -0400 Received: by fg-out-1718.google.com with SMTP id 16so1804917fgg.23 for ; Tue, 12 Aug 2008 00:21:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=CNy+vstycN98CbdraD9YRfua4AJoWqefxiSdbKHtaHA=; b=M5+9uPFY5acRPkpuaUk5g/NNP6i5ziX7JCNj0H52k72+ykLpxAlnhw3vgMdKSqttNt GB/Gc5MHuVHuVnfVj/lF1zURX4OPe1mBgmvlCpEpjz5qsDuZYJOX1rW0+l4eDJHMK3gW crBolra44V+e9gr4YxVGn18bPxlKTzM+v0buc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=hP7M+oH/t3Zi32aa6KMxpsZ3rl0CFsReYkmj0msyZW3+i/Ud+9NscgF+K0E1r5M/n8 JwRsmvdHunoNTpk6bq8Wd++GV77AUF6wpqVa2J/HHOC1DNO6FyDXGxAEgRn4YOxKK3VE jeVOPSzY4xTh00UmvuVv9fLkAG1/G2lZvDA18= Received: by 10.103.213.10 with SMTP id p10mr6745940muq.46.1218525690464; Tue, 12 Aug 2008 00:21:30 -0700 (PDT) Received: by 10.103.248.20 with HTTP; Tue, 12 Aug 2008 00:21:30 -0700 (PDT) Message-ID: <7f3ed2c30808120021n438be34crf83f24ca169f8e3a@mail.gmail.com> Date: Tue, 12 Aug 2008 09:21:30 +0200 To: "Greg Beaver" Cc: "Dmitry Stogov" , internals@lists.php.net In-Reply-To: <48A0B1FB.6080604@chiaraquartet.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <4899C4B4.3060902@liip.ch> <1218138548.5346.3.camel@felipe> <489B5285.1070000@lerdorf.com> <200808072237.01841.arnaud.lb@gmail.com> <7f3ed2c30808080011l3c62d416k7fd9b4dd455df99e@mail.gmail.com> <489C6BBA.8030101@zend.com> <489D811D.6090401@sektioneins.de> <489E3623.50008@lerdorf.com> <489FD934.8090905@zend.com> <48A0B1FB.6080604@chiaraquartet.net> Subject: Re: [PHP-DEV] include bug in 5.3 From: hannes.magnusson@gmail.com ("Hannes Magnusson") On Mon, Aug 11, 2008 at 23:41, Greg Beaver wrote: > Dmitry Stogov wrote: >> >> This behavior is already implemented in "improved" patch that I sent on >> Saturday. >> >> Thanks. Dmitry. > > [snip] > >>>> What I mean is: >>>> >>>> fopen("this_is_not_a_dir_but_a_file/../../../../../../../../etc/passwd", >>>> "r"); >>>> >>>> works because of realpath() and PHP's wrapper. > > [snip] > > Does this change affect code like: > > include "../file.php"; I was thinking along the same line. I bet some people have been lazy and used __FILE__. "/../../foobar.php". But then again, maybe they deserve to be punished :) -Hannes