Hello Stefan, i also think something should be done here. The is_url flag does not really help. What we imho need is an ini setting that allows specifying which stream handlers to allow. And that should not include user streams.
best regards marcus Saturday, January 13, 2007, 5:59:45 PM, you wrote: >> I am not sure I would call it a blacklist. It is a flag in the streams >> layer that marks stream handlers that could possibly make a network >> connection as such and there are only a finite set of stream handlers. >> > Unfortunately there is not a finite set of stream handlers. First of all > there are userstreams. An application could register a dangerous > userstream (that is of course not marked as URL) which is then abused by > an include. > Then there are PECL extensions that register streams. > Just pick a random one: Let's take ext/ssh2. This is not just any pecl > extension, but one from a PHP core developer. > SSH is obviously a network protocol. The PHP documentation even states > that SSH streams are forbidden during allow_url_fopen. > However from looking at the code I assume this documentation is wrong, > because I see all is_url flags being set to 0. > Voila, just install pecl/ssh and you are still vulnerable to remote file > includes. > That is the problem with opt-in/aka blacklist methods. > Stefan Best regards, Marcus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
