Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:83992 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38688 invoked from network); 27 Feb 2015 11:25:38 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 27 Feb 2015 11:25:38 -0000 Authentication-Results: pb1.pair.com smtp.mail=rowan.collins@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=rowan.collins@gmail.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.43 as permitted sender) X-PHP-List-Original-Sender: rowan.collins@gmail.com X-Host-Fingerprint: 74.125.82.43 mail-wg0-f43.google.com Received: from [74.125.82.43] ([74.125.82.43:34802] helo=mail-wg0-f43.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 25/6C-32582-13450F45 for ; Fri, 27 Feb 2015 06:25:38 -0500 Received: by wghn12 with SMTP id n12so19641738wgh.1 for ; Fri, 27 Feb 2015 03:25:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=plEukl9HRh9Urj4OGe57e03Pe187x9A9RLFcQnfRacs=; b=mV7zybAShEyDHj+ETdEIkpp5fUakEdAzrIoWNWVMriB01Wm5GX1tonjXIf/gg7FHkC 1UhBUxz/J8oa4i/JA0ywd+NdIrRCsikmrdumFNkSTUlHEaJrDgDI58xYbgx7K1djJdds cbSG7e4SEYBy0Ig8zatvixzygI3319eqYot3T7aw2JFq5HNsJtBInLqcZ12kCVzPGqQU NRsUupGjht1Itek6YfXrxlWZwzWexNuhDBT2GG5OTmR3Z8GDubigZoBdn91odB+kvQky NYSv6j3KFMsPLBB1pB/xF1af/iK9ePWcG93SHe+UIZaBPsmo7zln4eGQYrU8kjJVH5Jv 5E3w== X-Received: by 10.180.108.199 with SMTP id hm7mr5396341wib.5.1425036333631; Fri, 27 Feb 2015 03:25:33 -0800 (PST) Received: from [192.168.0.136] ([62.189.198.114]) by mx.google.com with ESMTPSA id l6sm5507466wjx.33.2015.02.27.03.25.31 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Feb 2015 03:25:32 -0800 (PST) Message-ID: <54F0540C.1040807@gmail.com> Date: Fri, 27 Feb 2015 11:25:00 +0000 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0 MIME-Version: 1.0 To: internals@lists.php.net References: In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Remove allow_url_include INI From: rowan.collins@gmail.com (Rowan Collins) Yasuo Ohgaki wrote on 27/02/2015 03:44: > Hi all, > > This is RFC for removing "allow_url_include" INI option. [1] > > During "Script only include" RFC[2] discussion, stream wrapper issue is > raised. > I was thinking this issue as a separate issue, but it seems others are not. I'm not convinced by the argument that because "phar://blah" looks like a URL, allowing it makes allow_url_include broken. Perhaps it would be better named allow_remote_include, but it corresponds to masking out your PHP_STREAM_REMOTE flag further down, which is the more important protection. If you want to be able to disable phar:// access, you could add something like allow_local_stream_include for that case without breaking BC. I'm also not at all clear what you mean by "caller" and "callee" responsibilities; surely the difference is just between a global option (ini_set()) and a local one (extra argument)? And in what way does Option #2 require more changes than Option #1, since they both require the argument to be present whenever a stream wrapper is used? I do think local options are better than global ini settings in many cases, but include/require/etc are statements, not functions, so giving them extra arguments is awkward - some of your examples are "wrong" in this regard: // Redundant brackets make this look like a function, but it's not: include('phar://phar_file/script.php'); // I can add as many as I like, the parser is just resolving them to a single string expression: include(((('phar://phar_file/script.php')))); // This is the actual syntax: include'phar://phar_file/script.php'; // Implying this for arguments: include'phar://phar_file/script.php', 'phar://'; // You could explicitly allow a "function form" of the statements, so you could parse this: include(('phar://phar_file/' . $script_name), 'phar://'); // But then you've got a subtle BC break, because the interpretation of this changes: include ($foo) . ('.php'); Regards, -- Rowan Collins [IMSoP]