I think it's a fair assumption that a random host specified in that way be treated as suspicious and lumped in under the disable-includes-by-default category.
If someone discovers that it breaks their app, when they read the docs for allow_url_include it should be made very clear what the implications are and what should be done prior to turning it on. So i have no problem with disallowing includes for paths beginning with a double backslash on windows, when allow_url_include is disabled. --Wez. On 11/5/06, Ilia Alshanetsky <[EMAIL PROTECTED]> wrote:
I think it'd be wrong to consider networked file system as non-local. Mostly because many times there are no ways to identify them reliable and the fact this is a perfectly valid usage that if disallowed by default would break a large number of applications. On 4-Nov-06, at 4:12 PM, Peter Brodersen wrote: > On Sat, 04 Nov 2006 12:40:01 -0800, in php.internals > [EMAIL PROTECTED] (Rasmus Lerdorf) wrote: > >> Yeah, we probably should. Had a chat with Wez about it too. Here is >> the patch. I think this catches the cases we are interested in: >> >> http://lerdorf.com/php/is_url.diff >> >> If someone could doublecheck it against those attacks it would be >> helpful. > > > Would requests to a smbserver, e.g. > \\10.20.30.40\evil\malicious_php_code.txt be prevented as well? It > seems like smbserver requests are regarded as part of the default > filesystem wrapper. > > -- > - Peter Brodersen > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Ilia Alshanetsky -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php