> I am not sure I would call it a blacklist. It is a flag in the streams > layer that marks stream handlers that could possibly make a network > connection as such and there are only a finite set of stream handlers. > Unfortunately there is not a finite set of stream handlers. First of all there are userstreams. An application could register a dangerous userstream (that is of course not marked as URL) which is then abused by an include. Then there are PECL extensions that register streams.
Just pick a random one: Let's take ext/ssh2. This is not just any pecl extension, but one from a PHP core developer. SSH is obviously a network protocol. The PHP documentation even states that SSH streams are forbidden during allow_url_fopen. However from looking at the code I assume this documentation is wrong, because I see all is_url flags being set to 0. Voila, just install pecl/ssh and you are still vulnerable to remote file includes. That is the problem with opt-in/aka blacklist methods. Stefan -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
