Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83880 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 67007 invoked from network); 26 Feb 2015 09:49:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2015 09:49:52 -0000 Authentication-Results: pb1.pair.com smtp.mail=padraic.brady@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=padraic.brady@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.179 as permitted sender) X-PHP-List-Original-Sender: padraic.brady@gmail.com X-Host-Fingerprint: 209.85.160.179 mail-yk0-f179.google.com Received: from [209.85.160.179] ([209.85.160.179:46805] helo=mail-yk0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B7/50-65287-F3CEEE45 for ; Thu, 26 Feb 2015 04:49:51 -0500 Received: by ykq142 with SMTP id 142so3548398ykq.13 for ; Thu, 26 Feb 2015 01:49:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=j2eR1nebOIv45tOAfpl//U6AU928kr1zzV3VKhW83rg=; b=OILvN2wlmkNePtICWhEgtLj0ZHWf4wqrrS0J0gw8217VkxjATT4ZaD8jptY2Cq9zku +Q5y54rJ9lmY7V5AIqNywjLg9yigc71ElVCThH4LcOFUYFsgmLcJ8CKGFl6pl2ZYl0ei dA07rRuMZZg84uhXMOzHfjEH7iuW0pjDy/FFfiAMMrKYgNFdKFqrKXpEQXgtCDEGitFA rsjVhqZ32R1OiRiIIVCH9pQxOQXNsCYViH9fI+Tm0+ScXm3Bz/XJ1NV3KUsiVPTSmL2h LXp7sGypoEhzkoLS8VH00EFbO5Ei3kS1tA3ShCw8E0dAqyWSwQv5n31UmMKLl+Py5yL/ 9Yfg== MIME-Version: 1.0 X-Received: by 10.236.4.72 with SMTP id 48mr7447284yhi.10.1424944188770; Thu, 26 Feb 2015 01:49:48 -0800 (PST) Received: by 10.170.222.86 with HTTP; Thu, 26 Feb 2015 01:49:48 -0800 (PST) In-Reply-To: <54EEDE8E.6070201@gmail.com> References: <54EE50CF.9090508@gmail.com> <54EE5A39.9040401@gmail.com> <54EEDE8E.6070201@gmail.com> Date: Thu, 26 Feb 2015 09:49:48 +0000 Message-ID: To: Stanislav Malyshev Cc: Yasuo Ohgaki , "internals@lists.php.net" Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require From: padraic.brady@gmail.com (=?UTF-8?Q?P=C3=A1draic_Brady?=) Hi Yasuo, On 26 February 2015 at 08:51, Stanislav Malyshev wrot= e: > Hi! > >> This can be prevented by restricting phar archive name or forbid all >> URI name at all. The latter is better choice. > > If by "all uri" you mean all streams, that would be very high burden, > which may break many applications using streams, including phar handling. > >> There is design problem obviously. The reason why phar:// is allowed is >> that "allow_url_include" is not INI_ALL. > > The reason why phar is allowed is because phar is not a remote stream, > so access to phar is the same as access to local file system, which is > necessary for include anyway. The contents of phar is in the same domain > as contents of local filesystem, that's why no distinction is made. > Agreeing with Stanislav on this one. While it may appear attractive to limit the phar: protocol, it's a fairly vital extension of the filesystem that we should be wary of tampering with. It would probably be more productive to clarify the status of phar: URLs in the docs for allow_url_include, if only to emphasise that it's not covered by that setting. Paddy -- P=C3=A1draic Brady http://blog.astrumfutura.com http://www.survivethedeepend.com