Re: allow_url_fopen ini directive not enough

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



KJ wrote:
>>
>> Basically this particular case boils down to: "files that are included
>> and
>> should not a be called directly" should not be allowed to be called
>> directly.
>>
>> You can do this at the application level whereby each included file
>> checks
>> whether it was called directly and refuse to run when that is so.
>>
>> Or you can do this on a system level and tell your webserver not to
>> allow
>> access to particular files or directories.
>
> Yes, you could do either of the above.
>
> I don't have an issue with solutions that PHP (or Apache) provide for
> avoiding this problem. I DO have an issue with the fact that this
> problem is caused by a single "feature" is probably not used by many and
> should be able to be turned off, much like register globals.
>
> Forget possible solutions and work arounds for one moment; when I
> download and install a popular application, I don't go through every bit
> of source code to check if these workarounds have been applied. I would
> much rather set a allow_url_include flag to "off", and not have to worry
> about that. There are plenty of things you need to worry about when
> hosting, and this would create one less.

Call me silly, but...

If you don't check the source code, and you think they might be using
include "http://";...

What's the difference between that and not checking all the zillion things
your customers might do that's about 100 X as stupid?

Seems to me you're expending a fair amount of 'worry' over something that,
given that you're not checking their source in the first place, is kind of
meaningless...

Not that I'm suggesting that you *SHOULD* be checking their source -- Only
that the risk you take as part and parcel of your business is untrusted
users putting code on your machine.

-- 
Like Music?
http://l-i-e.com/artists.htm

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux