Stanislav, you obviously did not get the point...
It is not about including URL stream wrappers that youself provide. It is about URL Include vulnerabilities in the application that allow remote attackers to issue attacks against Userstreams of the application. I would not be suprised to see some Wrapper Userstream that actually allows specifying a remote URL (something like php://filter just as userstream). And If I am not completely mistaken here unlike php://filter a userstream will not give the THIS_IS_AN_INCLUDE_FLAG down to a stream itself opens. PS: Don't tell me that userstreams are not available at the time of the include... I have seen enough stuff like include "base.lib.php"; ... include $templatepath."/header.php"; ... include $templatepath."/footer.php"; Stefan Esser -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
