Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:46000
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 70546 invoked from network); 10 Nov 2009 18:20:54 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 10 Nov 2009 18:20:54 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 209.85.220.227 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 209.85.220.227 mail-fx0-f227.google.com  
Received: from [209.85.220.227] ([209.85.220.227:47341] helo=mail-fx0-f227.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id EB/F5-38546-40FA9FA4 for <internals@lists.php.net>; Tue, 10 Nov 2009 13:20:54 -0500
Received: by fxm27 with SMTP id 27so320468fxm.23
        for <internals@lists.php.net>; Tue, 10 Nov 2009 10:20:49 -0800 (PST)
Received: by 10.103.48.28 with SMTP id a28mr145471muk.128.1257877248907;
        Tue, 10 Nov 2009 10:20:48 -0800 (PST)
Received: from ?192.168.200.22? (c-69-181-146-64.hsd1.ca.comcast.net [69.181.146.64])
        by mx.google.com with ESMTPS id y6sm3899814mug.40.2009.11.10.10.20.46
        (version=TLSv1/SSLv3 cipher=RC4-MD5);
        Tue, 10 Nov 2009 10:20:47 -0800 (PST)
Message-ID: <4AF9AEFB.9030203@lerdorf.com>
Date: Tue, 10 Nov 2009 10:20:43 -0800
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: Stanislav Malyshev <stas@zend.com>
CC: Christian Schneider <cschneid@cschneid.com>, 
 Lukas Kahwe Smith <mls@pooteeweet.org>,
 PHP Developers Mailing List <internals@lists.php.net>
References: <413588E2-8AC8-49F7-B7BF-97BEFB0A71E4@pooteeweet.org> <4AF9A03E.8000207@cschneid.com> <4AF9AE1A.9000005@zend.com>
In-Reply-To: <4AF9AE1A.9000005@zend.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: alternative to the fopen() hack in autoloaders
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Stanislav Malyshev wrote:
> Hi!
> 
>> Alternatively include() could be extended to allow resources, so the
>> above would turn info
>>
>> if ($fp = @fopen($file, 'r', true)) {
>>     include($fp);
>>     fclose($fp);
>> }
> 
> This would break security distinction between file ops and include ops,
> when URLs are allowed for open but not include.

Yes, I was going to say, this sounds like a very bad idea security-wise.
 We'd be back to the local vs. remote resource identification problem.

-Rasmus