The problem: ============ Because there is no way to be sure that a userspace stream is not remote, all userspace streams are marked as remote and so
I think that's the first mistake. Marking all streams remote because some of them could do remote access is like refusing to execute all user code because some of it could contain security holes. And it doesn't help - as far as I can see, these precautions still don't catch UNC remote access (\\1.2.3.4\myshare\myfile.php) on Windows.
allow_url_(include|fopen) applies to them. As such, because allow_url_(include|fopen) are disabled by default in PHP 6, this will
Disabling allow_url_fopen by default is the second mistake. What's wrong with it? Wasn't the sole reason for having allow_url_include to allow url_fopen work while protecting includes? Oh yes, somebody could say fopen+eval. So, somebody could also say curl_open+eval, so what?
The solution: ============= Add a new function: stream_wrapper_set_local()
Well, it could solve the problem, however it's a very perverted way of doing things - erecting "security measure" that should be removed for any real use. The whole reason for using this function would be to use that stream in the context of the include - i.e. if you don't include, you don't need it. But if you don't include, you don't care for allow_url_include on user streams either, so effectively having this function would be the same as reverting the decision about marking all user streams remote - just instead of PHP every user of the user streams would have to do it manually. Security-wise it would be exactly the same, hassle-wise - much worse.
Why would this be any different? The point of the allow_* options is to make it more difficult to write insecure code. This would still apply, as a user would have to explicitly register a stream wrapper as being local. This way, our example code:
He'd have to register it regardless of if it is local or remote - meaning, every time you use stream for include context you have to mark it as local. Since if it's not used for include it doesn't matter what it is marked, it's the same as saying "every time you use the stream you have to mark it", or alternatively "all used user streams should be marked". Now, you probably won't define a stream unless you intend to use it, so it becomes "all defined user streams should be marked as local". Isn't it the same as not marking them remote from start?
Paranoid hosters could simply put stream_wrapper_set_local() into the disable_functions option.
Maybe it's better to suggest paranoid hosters to disable user stream functions? Or add user_streams_are_local=0 for them.
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
