On Mon, Aug 11, 2008 at 23:41, Greg Beaver <[EMAIL PROTECTED]> wrote:
> Dmitry Stogov wrote:
>>
>> This behavior is already implemented in "improved" patch that I sent on
>> Saturday.
>>
>> Thanks. Dmitry.
>
> [snip]
>
>>>> What I mean is:
>>>>
>>>> fopen("this_is_not_a_dir_but_a_file/../../../../../../../../etc/passwd",
>>>> "r");
>>>>
>>>> works because of realpath() and PHP's wrapper.
>
> [snip]
>
> Does this change affect code like:
>
> include "../file.php";I was thinking along the same line. I bet some people have been lazy and used __FILE__. "/../../foobar.php". But then again, maybe they deserve to be punished :) -Hannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
