I think it'd be wrong to consider networked file system as non-local.
Mostly because many times there are no ways to identify them reliable
and the fact this is a perfectly valid usage that if disallowed by
default would break a large number of applications.
On 4-Nov-06, at 4:12 PM, Peter Brodersen wrote:
On Sat, 04 Nov 2006 12:40:01 -0800, in php.internals
[EMAIL PROTECTED] (Rasmus Lerdorf) wrote:
Yeah, we probably should. Had a chat with Wez about it too. Here is
the patch. I think this catches the cases we are interested in:
http://lerdorf.com/php/is_url.diff
If someone could doublecheck it against those attacks it would be
helpful.
Would requests to a smbserver, e.g.
\\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It
seems like smbserver requests are regarded as part of the default
filesystem wrapper.
--
- Peter Brodersen
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Ilia Alshanetsky
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php