Gareth Ardron writes: > To me, it's obvious that include includes a file - I see no obvious > determination that that file is either local or remote in the "include" > statement.
Can you name some other languages in which 'include' has such incredibly sharp edges? C? Python? Perl? BASH? Sed? Awk? Pascal? BASIC? Is there *any* precedent for a language in which 'include' will fetch hostile code from a remote server and execute it? If you're going to argue that experienced programmers will understand that 'include' will fetch code, you should explain how their experience helps them. > Also, I think it's silly to make include into two functions as you > suggest given that the ability to include a remote file depends on the > fopen wrapper being enabled. If we were to follow this line of logic, we > would have two functions for every current one function which can use > the fopen wrappers. That's not my line of logic, so following it takes you off the map. > I think the documentation quite clearly states that /all/ functions that > deal with files may deal with remote files if the fopen wrappers are > enabled Why did both of my users miss that documentation? The facts seem to be in opposition to your assertion that "the documentation quite clearly states". > However, as I mention above, every single function that can use > fopen wrappers can be exploited in this way. Not true. You would need to have *another* security flaw (a bug in jpg or xml parsing) for hostile jpg or xml content to gain privileges. > It's unfortunate, but there's a lot of muppets out there who think > they can code Now you're blaming the victim. -- --My blog is at blog.russnelson.com | If you want to find Crynwr sells support for free software | PGPok | injustice in economic 521 Pleasant Valley Rd. | +1 315-323-1241 | affairs, look for the Potsdam, NY 13676-3213 | | hand of a legislator. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
