Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:47871
Return-Path: <tyra3l@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 22198 invoked from network); 11 Apr 2010 16:28:29 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 11 Apr 2010 16:28:29 -0000
Authentication-Results: pb1.pair.com header.from=tyra3l@gmail.com; sender-id=pass; domainkeys=bad
Authentication-Results: pb1.pair.com smtp.mail=tyra3l@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.218.216 as permitted sender)
DomainKey-Status: bad
X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01
X-PHP-List-Original-Sender: tyra3l@gmail.com
X-Host-Fingerprint: 209.85.218.216 mail-bw0-f216.google.com  
Received: from [209.85.218.216] ([209.85.218.216:64746] helo=mail-bw0-f216.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 45/E1-11452-CA8F1CB4 for <internals@lists.php.net>; Sun, 11 Apr 2010 12:28:28 -0400
Received: by bwz8 with SMTP id 8so2049954bwz.23
        for <internals@lists.php.net>; Sun, 11 Apr 2010 09:28:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:received:message-id:subject:from:to:cc:content-type;
        bh=dR0BHo5uIavoG9q3U8u9PVGh9ysgNpxv8834opdlDCM=;
        b=T+qYlkvH/wPEYLaXPsqd5rP9EvQRTwZOj2rZcMqrJX7BKR8luxOOy07DJUDDwn6H2K
         6mfGWN9VA5XfdIydnEdjwNlbUihsfNEA6drJnCxUHtTG4MRKzxF50JBvDahAJDPg5HUz
         3Eh2LidAOuxo2KRZxy3p9C5nNO5L6qs/im7JQ=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :cc:content-type;
        b=gm3PXT+MeVaKGiQqyUzZph+ZPAQTkj5m/MBQY6nQ1HeUP271O3k4x7MWV91E9DvFSg
         Qo9Cy0707WWTdqkI9OffBBnPTmggMlubMhF24JW2Q+DAnCTTFw2oOXThZKzmu4/esHvd
         DfM7RvpIjhjqWJH1U2N4fmEaXCVUfUtMBm0bA=
MIME-Version: 1.0
Received: by 10.204.120.10 with HTTP; Sun, 11 Apr 2010 09:28:25 -0700 (PDT)
In-Reply-To: <alpine.LFD.2.00.1004111638510.5158@www.karsites.net>
References: <alpine.LFD.2.00.1004111638510.5158@www.karsites.net>
Date: Sun, 11 Apr 2010 18:28:25 +0200
Received: by 10.204.15.23 with SMTP id i23mr3374659bka.106.1271003305698; Sun, 
	11 Apr 2010 09:28:25 -0700 (PDT)
Message-ID: <m2gb54d0abe1004110928mbdd6c17aj5b0eb215c69cf6da@mail.gmail.com>
To: Keith Roberts <keith@karsites.net>
Cc: internals@lists.php.net
Content-Type: multipart/alternative; boundary=00032555ac7e8b64920483f88428
Subject: Re: [PHP-DEV] Making reading files from remote URL's more secure
From: tyra3l@gmail.com (Ferenc Kovacs)

--00032555ac7e8b64920483f88428
Content-Type: text/plain; charset=UTF-8

On Sun, Apr 11, 2010 at 6:23 PM, Keith Roberts <keith@karsites.net> wrote:

> Hi all.
>
> I've been reading about the security implications of turning
> allow_url_fopen 'on' for certain PHP applications that need to read files
> from a remote URL.
>
> To recap, please read this old article about Remote file inclusion
> vulnerabilities: http://lwn.net/Articles/203904/
>
> I'm just wondering if the ability to read files from a remote URL could be
> moved into a set of functions dedicated to that purpose alone? Then remove
> the URL reading ability from the standard file reading functions, to make
> those more secure?
>
> The new set of remote file reading functions could be prefixed with 'url_'.
>
> This would make it easier to distinguish between the local file reading
> functions, and those that read from remote URL's.
>
> So the normal fopen() function would only work on files locally, regardless
> of whether allow_url_open was turned on.
>
> This would be a great step.... backward.

Tyrael

--00032555ac7e8b64920483f88428--