Hi all, On Fri, Feb 27, 2015 at 12:44 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote:
> This is RFC for removing "allow_url_include" INI option. [1] > > During "Script only include" RFC[2] discussion, stream wrapper issue is > raised. > I was thinking this issue as a separate issue, but it seems others are not. > > "Script only include" RFC does not cover stream wrapper hole. This RFC > addresses > the hole created by stream wrappers. Those who may be concerned this hole > in "Script > only include" RFC may reconsider your votes by this. > > Without this RFC, "Script only include" RFC may have infinite number of > holes. > This RFC closes them and make "Script only include" RFC more effective. > > I don't use phar on regular basis, feedback from phar users are > appreciated. > If you find yet another hole in [2], please let me know. > > [1] https://wiki.php.net/rfc/allow_url_include > [2] https://wiki.php.net/rfc/script_only_include > Simpler approach could be specifying the prefix of URL (wrapper) include('http://php.net', 'http://'); Pros: - Requires a lot less code modifications = less BC. - Simple string comparison is enough. - More specific which wrapper is used. (Only specified wrapper may be used) - More flexible when new wrapper is added. (No additional code is needed for this) Cons: - 'http://' looks redundant - 2nd parameter is used solely for specifying wrapper. i.e. Cannot use it for no embedded mode flag, etc. There may be pseudo wrapper like "noembed://", though. Thoughts? BTW, we are better to fix this regardless of https://wiki.php.net/rfc/script_only_include since we opened hole with Phar which looks like tar file that can be executed as PHP script. There are many servers that allow tar file uploads. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
