Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83965 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 83484 invoked from network); 27 Feb 2015 06:57:01 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Feb 2015 06:57:01 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.43 as permitted sender) X-PHP-List-Original-Sender: yohgaki@gmail.com X-Host-Fingerprint: 209.85.192.43 mail-qg0-f43.google.com Received: from [209.85.192.43] ([209.85.192.43:34504] helo=mail-qg0-f43.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id E4/72-32582-B3510F45 for ; Fri, 27 Feb 2015 01:57:00 -0500 Received: by mail-qg0-f43.google.com with SMTP id i50so12818304qgf.2 for ; Thu, 26 Feb 2015 22:56:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=PyjpB1EJy3M/8ujWS3pZXZ0JNsqZG4+5LE0qFhRomuk=; b=cOGElnbtkz3aRk9K4M6DIP8Y23dpxFQfE7458s+9hF9pd2oK7/4aJvMamVMzW58YF+ JunO0WzFQ8feU4Z3/jSJ0oEJW2vQ4N1LM2chXyfJ7Q8UudVg30Xjdtx//2Bv97Z07gv8 9fLcdcVAm3j/OR0mekCjIlrorRnDB8GwXQ28Ir7sjWWvqD/a2KM8V7rYIReNl4Na8J/3 nUQi6SEjtjJXfIJu4jDK4qfMwyYTbpI2X0HZgTJZbxkY0cepsgYEWBKoiG/Nx1+Lud2Y xyRVQZ4taz6YlhOusfquXqKALlAWc0z7up8/I0dEOhx22T98/t08s/tURDi+fJGn0PC2 fUvA== X-Received: by 10.140.238.2 with SMTP id j2mr26287564qhc.5.1425020217601; Thu, 26 Feb 2015 22:56:57 -0800 (PST) MIME-Version: 1.0 Sender: yohgaki@gmail.com Received: by 10.229.198.8 with HTTP; Thu, 26 Feb 2015 22:56:17 -0800 (PST) In-Reply-To: References: Date: Fri, 27 Feb 2015 15:56:17 +0900 X-Google-Sender-Auth: N41_dVi0NeV7JH4jQg_3pyGbaJ4 Message-ID: To: "internals@lists.php.net" Content-Type: multipart/alternative; boundary=001a1135a514de39b605100c5f0f Subject: Re: [RFC][DISCUSSION] Remove allow_url_include INI From: yohgaki@ohgaki.net (Yasuo Ohgaki) --001a1135a514de39b605100c5f0f Content-Type: text/plain; charset=UTF-8 Hi all, On Fri, Feb 27, 2015 at 12:44 PM, Yasuo Ohgaki wrote: > This is RFC for removing "allow_url_include" INI option. [1] > > During "Script only include" RFC[2] discussion, stream wrapper issue is > raised. > I was thinking this issue as a separate issue, but it seems others are not. > > "Script only include" RFC does not cover stream wrapper hole. This RFC > addresses > the hole created by stream wrappers. Those who may be concerned this hole > in "Script > only include" RFC may reconsider your votes by this. > > Without this RFC, "Script only include" RFC may have infinite number of > holes. > This RFC closes them and make "Script only include" RFC more effective. > > I don't use phar on regular basis, feedback from phar users are > appreciated. > If you find yet another hole in [2], please let me know. > > [1] https://wiki.php.net/rfc/allow_url_include > [2] https://wiki.php.net/rfc/script_only_include > Simpler approach could be specifying the prefix of URL (wrapper) include('http://php.net', 'http://'); Pros: - Requires a lot less code modifications = less BC. - Simple string comparison is enough. - More specific which wrapper is used. (Only specified wrapper may be used) - More flexible when new wrapper is added. (No additional code is needed for this) Cons: - 'http://' looks redundant - 2nd parameter is used solely for specifying wrapper. i.e. Cannot use it for no embedded mode flag, etc. There may be pseudo wrapper like "noembed://", though. Thoughts? BTW, we are better to fix this regardless of https://wiki.php.net/rfc/script_only_include since we opened hole with Phar which looks like tar file that can be executed as PHP script. There are many servers that allow tar file uploads. Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net --001a1135a514de39b605100c5f0f--