My understanding is that this coudn't happen because a userspace
stream would be flagged is_url. So unless someone turns off, say
"ftp", and then adds "ftp" to the whitelist, there is no problem. And
if anyone does that, he/she should seriously consider looking for a
job where he/she can't
Hmm. Yes. I see. Moot indeed.
On 22/01/07, Richard Lynch <[EMAIL PROTECTED]> wrote:
On Tue, January 16, 2007 7:07 pm, Sara Golemon wrote:
> allow_url_fopen and allow_url_include continue to accept boolean flags
> in order to behave just as they do now: true/on allows anything,
> false/off allo
On Tue, January 16, 2007 7:07 pm, Sara Golemon wrote:
> allow_url_fopen and allow_url_include continue to accept boolean flags
> in order to behave just as they do now: true/on allows anything,
> false/off allows only those wrappers without the is_url bit set.
+1, fwiw.
As far as the "user" bei
Sort of thinking out loud and not really sure if this is possible, but
if a wrapper is NOT present (specifically denied) in allow_url_fopen,
but "user" is present, could a user defined wrapper emulate the
missing one, thereby bypassing the restriction?
On 18/01/07, Sara Golemon <[EMAIL PROTECTED]
I assume this would also mean all userland stream wrappers become is_url=1?
Anyway, +1.
This patch, by itself, doesn't affect the is_urlness of userspace
wrappers. Whether or not we change their designation is up to a
separate concensus (I'm in favor of it for the record).
Funnily enough th
Sara,
I assume this would also mean all userland stream wrappers become
is_url=1?
Anyway, +1.
David
Am 17.01.2007 um 02:07 schrieb Sara Golemon:
allow_url_include has been bashed lately for being "not good
enough", and there is a kernel of truth to that, though where the
ultimate bla
Hello Ilia,
Wednesday, January 17, 2007, 3:09:15 PM, you wrote:
> On 16-Jan-07, at 8:07 PM, Sara Golemon wrote:
>> allow_url_include has been bashed lately for being "not good
>> enough", and there is a kernel of truth to that, though where the
>> ultimate blame falls if of course a touchy s
Ilia Alshanetsky wrote:
>
> On 16-Jan-07, at 8:07 PM, Sara Golemon wrote:
>
>> allow_url_include has been bashed lately for being "not good enough",
>> and there is a kernel of truth to that, though where the ultimate
>> blame falls if of course a touchy subject.
>
> Not really, I mean is it so
On 16-Jan-07, at 8:07 PM, Sara Golemon wrote:
allow_url_include has been bashed lately for being "not good
enough", and there is a kernel of truth to that, though where the
ultimate blame falls if of course a touchy subject.
Not really, I mean is it so difficult to expect the extension wri
Hi Sara
+1 from me, a very nice solution to the problem IMO
Regards
Marco
Hello Sara,
strong +1, awesome work!
best regards
marcus
Wednesday, January 17, 2007, 2:07:15 AM, you wrote:
> Index: main/php_globals.h
> ===
> RCS file: /repository/php-src/main/php_globals.h,v
> retrieving revision 1.109
> dif
allow_url_include has been bashed lately for being "not good enough",
and there is a kernel of truth to that, though where the ultimate blame
falls if of course a touchy subject.
So rather than continue the fight over who's shoulders the job of
security should fall on, how about the attached p
12 matches
Mail list logo
