Reply to Re: [PHP] patch to php 4.3.10 to disabling URL wrappers in include like statements

Your name:

Reply:


Posted by Bostjan Skufca @ domenca.com on 03/02/05 17:52

From system security's standpoint:

<?php
$content = file_get_contents('http://www.domain.net/file.inc');
echo $content;
?>

is OK, but

<?php
include('http://www.domain.net/file.inc');
?>

is NOT!

Nice patch, Tom, will probably use it myself too...

regards,
Bostjan

On Wednesday 02 March 2005 11:54, Markus Mayer wrote:
> Correct me if I'm wrong, but isn't this already available in the standard
> PHP? In the php.ini file, you can refuse the inclusion of url's :
> allow_url_fopen = Off
>
> I think also Hardened PHP offers additional similar protections.
>
> Markus
>
> On Wednesday 02 March 2005 08:57, Tom Z. Meinlschmidt wrote:
> > Hi,
> >
> > I've experienced a lot of attacks in my hosting server due to silly users
> > and their scripts with holes. So I prepared this little patch to 4.3.10,
> > which disables using url wrappers in
> > include/include_once/require/require_once statemens (switchable in
> > php.ini). See readme.security from patch
> >
> > patch is there:
> >
> > http://orin.meinlschmidt.org/~znouza/php_patch.txt
> >
> > comments are welcome
> >
> > /tom
> >
> > --
> > =========================================================================
> >== ==== Tomas Meinlschmidt, SBN3, MCT, MCP, MCP+I, MCSE, NetApp Filer &
> > NetCache gPG fp: CB78 76D9 210F 256A ADF4 0B02 BECA D462 66AB 6F56 / $ID:
> > 66AB6F56 GCS d-(?) s: a- C++ ULHISC*++++$ P+++>++++ L+++$>++++ E--- W+++$
> > N++(+) !o !K w(---) !O !M V PS+ PE Y+ PGP++ t+@ !5 X? R tv b+ !DI D+ G
> > e>+++ h---- r+++ z+++@
> > =========================================================================
> >== ====

--
Best regards,

Bostjan Skufca
system administrator

Domenca d.o.o.
Phone: +386 4 5835444
Fax: +386 4 5831999
http://www.domenca.com

[Back to original message]
Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация