Andi Gutmans wrote:
> Hi Sara,
>
> Sorry but I wasn't on IRC so I don't quite understand what you're trying to
> accomplish ;)
> Can you please explain? Once I understand what you're trying to accomplish
> I'll be more than happy to provide feedback to the
> options list.
Andrei/Pierre have a d
> Sorry but I wasn't on IRC so I don't quite
> understand what you're trying to accomplish ;)
> Can you please explain? Once I understand what
> you're trying to accomplish I'll be more than
> happy to provide feedback to the
> options list.
>
Oh, sorry, I thought you were in the email thread whic
Sara Golemon wrote:
> For reasons best left on IRC, it looks like I'll be working on runtime
> JIT. To that end, I've come up with a few proposals of varying
> complexity and feature-set completeness:
>
> Option 1:
> Dump support for compile-time JIT and replace it with a call at runtime
> using
Hi Sara,
Sorry but I wasn't on IRC so I don't quite understand what you're trying to
accomplish ;)
Can you please explain? Once I understand what you're trying to accomplish I'll
be more than happy to provide feedback to the
options list.
Thanks,
Andi
> -Original Message-
> From: Sar
For reasons best left on IRC, it looks like I'll be working on runtime
JIT. To that end, I've come up with a few proposals of varying
complexity and feature-set completeness:
Option 1:
Dump support for compile-time JIT and replace it with a call at runtime
using the same semantics.
Advantag
Stefan Esser wrote:
> Greg,
>
> i was not talking about providing all the different versions of include.
Ah, was this include_url some kind of ini setting you were talking about?
Greg
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
Stanislav Malyshev wrote:
> SE>>And If I am not completely mistaken here unlike php://filter a
> SE>>userstream will not give the THIS_IS_AN_INCLUDE_FLAG down to a stream
> SE>>itself opens.
>
> I think I see what you mean now - i.e. that the user implementation might
> be tricked into opening UR
SE>>And If I am not completely mistaken here unlike php://filter a
SE>>userstream will not give the THIS_IS_AN_INCLUDE_FLAG down to a stream
SE>>itself opens.
I think I see what you mean now - i.e. that the user implementation might
be tricked into opening URL for include even though direct openi
MB>> I always have control of what I program. I alwayshavecontrol of
MB>>whichfiles I load. Ergo there is no security issue - WOW.
I'm afraid you lost me. Could you please explain why you considering user
streams to be security threat without resorting to sarcasm?
--
Stanislav Malyshev, Zend P
Greg,
i was not talking about providing all the different versions of include.
For me it is a broken application design to include anything out of an
URL wrapper.
However it would also be fine to just have allow_url_include affect all
URLs and to be
setable by ini_set() and be turned off by defau
Stanislav,
you obviously did not get the point...
It is not about including URL stream wrappers that youself provide.
It is about URL Include vulnerabilities in the application that allow
remote attackers to issue attacks against Userstreams of the application.
I would not be suprised to see so
Hello Stanislav,
I always have control of what I program. I alwayshavecontrol of whichfiles
I load. Ergo there is no security issue - WOW.
best regards
marcus
Sunday, January 14, 2007, 12:03:04 PM, you wrote:
MB>>> i also think something should be done here. The is_url flag does not
MB>>>re
MB>> i also think something should be done here. The is_url flag does not
MB>>really help. What we imho need is an ini setting that allows
MB>>specifying which stream handlers to allow. And that should not include
MB>>user streams.
I don't see how user streams have anything to do with it - if
Wez Furlong wrote:
On 1/13/07, Lukas Kahwe Smith <[EMAIL PROTECTED]> wrote:
SQLite does not natively support prepared statements anyways.
Yes it does :)
Ah, I got thrown off by the use of the word "precompile" which they also
used to describe dumps of the byte code generated by the SQL comp
On 1/13/07, Lukas Kahwe Smith <[EMAIL PROTECTED]> wrote:
SQLite does not natively support prepared statements anyways.
Yes it does :)
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
15 matches
Mail list logo
