On 6/28/05, Russell Nelson <[EMAIL PROTECTED]> wrote:
>
> If you have to read the man page to find out that 'include' will let
> some random user from a third-world country execute 'rm -rf /' on your
> server, then I propose that the problem is not that users didn't read
> the man page. The problem is with include, and it needs to be fixed.
Are you suggesting that someone could wipe out your entire machine by
passing a remote script that would system('rm -rf /');?
This is not a PHP related problem. If the user is stupid enough to run
his webserver as root and not setting proper privileges, he deserves
to get his hard drive wiped out.
Maybe we should consider Apache insecure as it allows you to run it as
root if you like? Or maybe we should blame UN*X systems for having a
root account?
I sure do expect to have include() using the fopen wrapper. If it was
not the case, people would start writing their own implementation of
remote include file, opening a HTTP stream and then piping it to
include().
IMHO, this thread is pointless. About any feature (good features!) of
PHP might be used to hack a system. There is no way around a crapy
written software (meaning the PHP script, and *not* the PHP runtime).
There is no problems with the include() statement. The only thing
missing, is a <blink> tag in the docs ;)
Sincerely,
Olivier
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
