Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83384
Return-Path: <yohgaki@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 414 invoked from network); 21 Feb 2015 09:52:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 21 Feb 2015 09:52:52 -0000
Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.44 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@gmail.com
X-Host-Fingerprint: 209.85.192.44 mail-qg0-f44.google.com  
Received: from [209.85.192.44] ([209.85.192.44:52222] helo=mail-qg0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id BE/A3-08895-27558E45 for <internals@lists.php.net>; Sat, 21 Feb 2015 04:52:50 -0500
Received: by mail-qg0-f44.google.com with SMTP id j5so17897791qga.3
        for <internals@lists.php.net>; Sat, 21 Feb 2015 01:52:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc:content-type;
        bh=5/o2RMRyYIbtjD81chbH1l4W7j5KQ71OgQSEcjxRTXY=;
        b=OL3IGISC/WRAJtIykbSSg86J77KRUh49N7cBJWkIr+mLnQQjKKcEg3esfStp5QfWGM
         x+gDEPuWc6pN/53RYtQb3DdxUD5FQKd6rBFvujN2Fz3AI+tMjhdwpi3VLUhAEeXNSrVP
         e/e8PYNk9cWjYHlFF5XWWk3NKUDHwRYIb+kFa8CR3i9hyhc+7V27eBbTUegm5y48OJ/l
         nZriKauk9JBR27GNxQDCNHIyBU7G5cDE8rBBVYUuEnGilAfBBUFv1agoaNAybMhquuSa
         eqO+jzOIe605OvFNrhgTjHPebBzDfEDnY8orfYL1t1JqWTPtpGLXZ1t5e81ke4xGp7dQ
         qo7w==
X-Received: by 10.141.28.145 with SMTP id f139mr4319589qhe.36.1424512367725;
 Sat, 21 Feb 2015 01:52:47 -0800 (PST)
MIME-Version: 1.0
Sender: yohgaki@gmail.com
Received: by 10.229.198.8 with HTTP; Sat, 21 Feb 2015 01:52:07 -0800 (PST)
In-Reply-To: <CALwr1GkH6QhbtVoF-61jZqsqPrcfedg5KXRxz6o5Mt3r-h0xQQ@mail.gmail.com>
References: <CAGa2bXZ_Q4Ytz5HgcmBoKNPzUaCh6vLETkyyd-jVsR9df60RPg@mail.gmail.com>
 <CALwr1GkH6QhbtVoF-61jZqsqPrcfedg5KXRxz6o5Mt3r-h0xQQ@mail.gmail.com>
Date: Sat, 21 Feb 2015 18:52:07 +0900
X-Google-Sender-Auth: bQtWl2W9qUocAlX8QqaFF5LlpTs
Message-ID: <CAGa2bXa+kKCxRvTyAVED-h3NbnhC+Q0FuYS_tDOgK8nDdC4pcw@mail.gmail.com>
To: =?UTF-8?Q?P=C3=A1draic_Brady?= <padraic.brady@gmail.com>
Cc: "internals@lists.php.net" <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a11423caea83a80050f9621ef
Subject: Re: [PHP-DEV] [RFC] [FINAL DISCUSSION] Script only include/require
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

--001a11423caea83a80050f9621ef
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi Padraic,

On Sat, Feb 21, 2015 at 5:18 PM, P=C3=A1draic Brady <padraic.brady@gmail.co=
m>
wrote:

> Does this have any impact on allow_url_include or has that setting
> been retained?
>
> Yes, folk do indeed try to do this, for example hitting up Google:
>
> http://www.quora.com/Why-do-include-and-require_once-not-work-with-remote=
-files
>

allow_url_include=3DOff is kept.

Attacker can easily place *.php files on remote servers.
I guess PHP also allows php://input without it, doesn't it?
php://input allows script execution via post.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

--001a11423caea83a80050f9621ef--