Rasmus Lerdorf writes: > How is this any different from > > include "../../../../../etc/passwd";
That doesn't let you execute hostile content with local privs. > There are a lot of places where unfiltered user input can cause some > rather severe problems. I agree! And yet .... there is plenty of evidence that *include* among all the language intrinsics is a problem. 'system' has obvious sharp edges. 'include' does not. I'm asking you to make the sharp edges obvious or else blunt them. Renaming 'include' to 'includeremotesecurityhole' is one way. Removing the URL fopening ability from 'include' and adding a new intrinsic called 'includeremote' would do it too. By the way, remember the 'Open Source' logo contest that you ran for us? We printed it up on t-shirts for FISL 6.0 a month ago. I'll be happy to send you one if you want. Specify yellow, black, or black long-sleeved. -- --My blog is at blog.russnelson.com | If you want to find Crynwr sells support for free software | PGPok | injustice in economic 521 Pleasant Valley Rd. | +1 315-323-1241 | affairs, look for the Potsdam, NY 13676-3213 | | hand of a legislator. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
