Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:84088 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 64298 invoked from network); 1 Mar 2015 02:18:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 1 Mar 2015 02:18:23 -0000 Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.220.50 as permitted sender) X-PHP-List-Original-Sender: smalyshev@gmail.com X-Host-Fingerprint: 209.85.220.50 mail-pa0-f50.google.com Received: from [209.85.220.50] ([209.85.220.50:37255] helo=mail-pa0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A3/00-63732-EE672F45 for ; Sat, 28 Feb 2015 21:18:22 -0500 Received: by pabrd3 with SMTP id rd3so33279479pab.4 for ; Sat, 28 Feb 2015 18:18:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=VOH4nsHmpYQ+X3tst44sddWM3moI2UwIW9WhKmdJNmg=; b=YYRXxUZZcptQwwOKUxglB8EtxejAhzQgowQY7hTAbcl/f9yb7L2rbiKHBLdppnqke8 Wi0Q4/++Ko4xWPll6v6bbHz4JH77xSa6FFtXZR00FvnRhwn2ndjpOfAI3wZkZsrXDJO9 76sGFHJNFE9PVAqGILyGZu9Z0Z0LH53NnVvjpddOw30m4uSQEjcXesriEkuUUHWDT3Sw 3c7YwzMz5YfqoZzIuklMY+0Fxej3bwVWRYC4xk38d5pl1fAPwIpaMnnvdnMC8TxQYZgK h7NxLKrptnHzMMQrsRfzma2LR7g70vHS+8TO9WGZkTc2kYefZ0N0iEQxKowCdXbNC5ar XWBg== X-Received: by 10.70.100.38 with SMTP id ev6mr36394092pdb.135.1425176300044; Sat, 28 Feb 2015 18:18:20 -0800 (PST) Received: from Stas-Air.local (108-66-6-48.lightspeed.sntcca.sbcglobal.net. [108.66.6.48]) by mx.google.com with ESMTPSA id x4sm8002318pas.40.2015.02.28.18.18.18 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Feb 2015 18:18:19 -0800 (PST) Message-ID: <54F276EA.6030203@gmail.com> Date: Sat, 28 Feb 2015 18:18:18 -0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Thunderbird/31.4.0 MIME-Version: 1.0 To: Yasuo Ohgaki CC: Rowan Collins , "internals@lists.php.net" References: <54F0540C.1040807@gmail.com> <54F149BC.70107@gmail.com> In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] [RFC][DISCUSSION] Remove allow_url_include INI From: smalyshev@gmail.com (Stanislav Malyshev) Hi! > The root cause of the issue here is preciseness of the setting. > I think you agree that current "allow_url_include=Off" with INI_SYSTEM is > not precise at all. It is precise - it's doing exactly what it meant to do, separate local wrappers from remote ones. > We need to consider local and remote wrapper separately. > We may better to consider removing all remote wrapper support from > include/require. That's exactly what this setting is doing. > It's rarely used and user can execute remote script easily with PHP. > e.g. eval(readfile('http://host/script')). This setting is indeed rarely used and not recommended to enable, but since it's off by default, I assume anybody enabling it knows what they are doing. > for "allow_url_include=Off", but there may be others. If we remove most > local wrapper > support(php://input, user wrappers, etc) from include/require, we don't > need 2nd parameter. i.e. As I previously noted, php://input is considered remote already. As for others, I'm not sure why we would want to remove them. -- Stas Malyshev smalyshev@gmail.com