Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:83739
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36319 invoked from network); 25 Feb 2015 04:57:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 25 Feb 2015 04:57:51 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.50 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.220.50 mail-pa0-f50.google.com  
Received: from [209.85.220.50] ([209.85.220.50:40739] helo=mail-pa0-f50.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id F0/B0-32189-F465DE45 for <internals@lists.php.net>; Tue, 24 Feb 2015 23:57:51 -0500
Received: by paceu11 with SMTP id eu11so2284514pac.7
        for <internals@lists.php.net>; Tue, 24 Feb 2015 20:57:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=message-id:date:from:user-agent:mime-version:to:cc:subject
         :references:in-reply-to:content-type:content-transfer-encoding;
        bh=N0b/8kFb3hwAR/U0OX2bUWBPm2jLw9vUEiCYLm2iggs=;
        b=cmyZTGqyF1tFFvOhXKMgotLhJ26ABOmxkFb1Mvp8SNpcWEipJ6wFsJjWXDZv4SzEpc
         7ZaQ9pZYOI3ZBua95SK/5b2ay5PVXmVxyy5kYUkXT8rNvELQ4sKOj5295O+PiDt0TISW
         ncGfMiLlMkSxlxOospJZb/jPq3qg4hKkXuKJhzo38kpMf4Zk+EP7dzPJFYpeRofIysIG
         Do1EAhLllDoIrK4RWJuwtjuSQvXX1VhO+VZI0cTHX4MCMdrrF1s7t58DWlkbq+hYe/ff
         YrBT+Utm0q+TKbG7hVtT6VP6ryERyA97edUFp8PXRawHCCJDgIb+p1i86uAIMZSvsayz
         ImFg==
X-Received: by 10.68.244.2 with SMTP id xc2mr2151750pbc.45.1424840268362;
        Tue, 24 Feb 2015 20:57:48 -0800 (PST)
Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48])
        by mx.google.com with ESMTPSA id cb9sm40971980pad.46.2015.02.24.20.57.45
        (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 24 Feb 2015 20:57:47 -0800 (PST)
Message-ID: <54ED5648.1020907@gmail.com>
Date: Tue, 24 Feb 2015 20:57:44 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
CC: =?UTF-8?B?UMOhZHJhaWMgQnJhZHk=?= <padraic.brady@gmail.com>, 
 "internals@lists.php.net" <internals@lists.php.net>
References: <CAGa2bXa=LHMT+wdSM_xbHDo1901QDSFa-KotjQckNwVX9wUEUQ@mail.gmail.com> <CAGa2bXZ0VCC4ZN0=YU8ZE9LXm8m9j-RJnmYOhd5qrENoa1HimQ@mail.gmail.com> <CA+9eiLvV-wY-6BC5FHZM=uMAWm4Ny4Ej_m2F31o6DNGacpfJPQ@mail.gmail.com> <CALwr1Gmmy06_4ZgsvUhcf5m7g06vK2s18qmxKBv1gu+syrsbQA@mail.gmail.com> <54ECD4E3.9040705@gmail.com> <CALwr1GkY_8TN-HwXnRNL0-1oRfQPJvz0_vyJv_ojUTVsFbkNTQ@mail.gmail.com> <CAGa2bXZV1FOaW5mJqx2yw7WQz0prp1zfEgdEw99StbWPgDFUwg@mail.gmail.com> <54ECFAA8.4020305@gmail.com> <CAGa2bXZ373PGrJtpmgLje3obzGcXQs5sND=8TzyuKac+hZ--Fg@mail.gmail.com> <54ED085C.8010901@gmail.com> <CAGa2bXYDGXu3coifbAdLUqE=1qPEJb4RnC_-vWctcrFirc-S6Q@mail.gmail.com> <54ED1CE2.9060903@gmail.com> <CAGa2bXaKG3p02Y0X22NP7W=qdO7N4pq8ikqNoF7xm0vUBzMmbg@mail.gmail.com> <54ED3F2F.7050203@gmail.com> <CAGa2bXYsG4fcVL3o_sbpXehL7=3SJ5jdMuPnNe8Sn4f_a1H_XA@mail.gmail.com>
In-Reply-To: <CAGa2bXYsG4fcVL3o_sbpXehL7=3SJ5jdMuPnNe8Sn4f_a1H_XA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] [RFC] Script only include/require
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> I have to at least php:// 
> php://input or php://stdin 
> allows attacker script execution via POST if it's allowed
> by allow_url_include=On.

allow_url_include=On means it's allowed. That's what "on" setting is
for. Production setting should always be "off".
-- 
Stas Malyshev
smalyshev@gmail.com