Newsgroups: php.internals,php.internals Path: news.php.net Xref: news.php.net php.internals:46008 php.internals:46009 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 91632 invoked from network); 10 Nov 2009 19:57:04 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Nov 2009 19:57:04 -0000 X-Host-Fingerprint: 76.84.35.200 cpe-76-84-35-200.neb.res.rr.com Received: from [76.84.35.200] ([76.84.35.200:23034] helo=localhost.localdomain) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 44/1A-38546-C85C9FA4 for ; Tue, 10 Nov 2009 14:57:01 -0500 To: internals@lists.php.net,Stanislav Malyshev Message-ID: <4AF9C589.3090604@chiaraquartet.net> Date: Tue, 10 Nov 2009 13:56:57 -0600 User-Agent: Thunderbird 2.0.0.6 (Macintosh/20070807) MIME-Version: 1.0 CC: Christian Schneider , Lukas Kahwe Smith , PHP Developers Mailing List References: <413588E2-8AC8-49F7-B7BF-97BEFB0A71E4@pooteeweet.org> <4AF9A03E.8000207@cschneid.com> <4AF9AE1A.9000005@zend.com> In-Reply-To: <4AF9AE1A.9000005@zend.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-Posted-By: 76.84.35.200 Subject: Re: [PHP-DEV] Re: alternative to the fopen() hack in autoloaders From: greg@chiaraquartet.net (Greg Beaver) Stanislav Malyshev wrote: > Hi! > >> Alternatively include() could be extended to allow resources, so the >> above would turn info >> >> if ($fp = @fopen($file, 'r', true)) { >> include($fp); >> fclose($fp); >> } > > This would break security distinction between file ops and include ops, > when URLs are allowed for open but not include. > Not really - the wrapper used to open the file pointer is stored in the resource, so we can just check it against the same restrictions we would for static urls. I think this idea deserves another look. Greg