Hello Stefan, On 1/11/07, Stefan Esser <[EMAIL PROTECTED]> wrote:
Hello Rasmus, > There are some concrete suggestions in the article that we addressed a > while ago. Things like: > > "I'd like to see new defaults that limit include() and require() to > only allow local files, thereby avoiding remote file injection." > > That's the default in PHP 5.2.0 which was released over 2 months ago now. > This is not true. It was demonstrated several times that the "protection" is easily bypassed by using data:// or php://input URLs. Maybe this is fixed in PHP 5.2.1 but it is not in 5.2.0. And it certainly is no protection at all when someone can just use one of the other URL wrappers of PHP that are considered safe and put in an overlong URL that produces a stack overflow. (Hello zip://)
For your information, zip is not enabled by default. If you have a bug/issue about the specific zip:// URL, please let me know. Ilia and Tony already fixed some paths fixes and the fixes are available in zip-1.8.4. They will be in 5.2.1. --Pierre -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
