[PHP-CVS] cvs: php-src / php.ini-dist php.ini-recommended /main main.c php_globals.h /main/streams streams.c

Fri, 18 Nov 2005 08:21:02 -0800 

rasmus          Fri Nov 18 11:20:43 2005 EDT

  Modified files:              
    /php-src    php.ini-dist php.ini-recommended 
    /php-src/main       main.c php_globals.h 
    /php-src/main/streams       streams.c 
  Log:
  Add allow_url_include to let people turn on allow_url_fopen without also
  enabling remote code execution through url wrappers
  
  
http://cvs.php.net/diff.php/php-src/php.ini-dist?r1=1.237&r2=1.238&ty=u
Index: php-src/php.ini-dist
diff -u php-src/php.ini-dist:1.237 php-src/php.ini-dist:1.238
--- php-src/php.ini-dist:1.237  Mon Nov 14 18:14:54 2005
+++ php-src/php.ini-dist        Fri Nov 18 11:20:41 2005
@@ -529,6 +529,8 @@
 
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
+; Whether to allow code execution through URL wrappers
+allow_url_include = Off
 
 ; Define the anonymous ftp password (your email address)
 ;from="[EMAIL PROTECTED]"
http://cvs.php.net/diff.php/php-src/php.ini-recommended?r1=1.186&r2=1.187&ty=u
Index: php-src/php.ini-recommended
diff -u php-src/php.ini-recommended:1.186 php-src/php.ini-recommended:1.187
--- php-src/php.ini-recommended:1.186   Mon Nov 14 18:14:54 2005
+++ php-src/php.ini-recommended Fri Nov 18 11:20:41 2005
@@ -586,6 +586,8 @@
 
 ; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
 allow_url_fopen = On
+; Whether to allow code execution through URL wrappers
+allow_url_include = Off
 
 ; Define the anonymous ftp password (your email address)
 ;from="[EMAIL PROTECTED]"
http://cvs.php.net/diff.php/php-src/main/main.c?r1=1.651&r2=1.652&ty=u
Index: php-src/main/main.c
diff -u php-src/main/main.c:1.651 php-src/main/main.c:1.652
--- php-src/main/main.c:1.651   Tue Nov 15 06:14:34 2005
+++ php-src/main/main.c Fri Nov 18 11:20:43 2005
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: main.c,v 1.651 2005/11/15 11:14:34 dmitry Exp $ */
+/* $Id: main.c,v 1.652 2005/11/18 16:20:43 rasmus Exp $ */
 
 /* {{{ includes
  */
@@ -439,6 +439,7 @@
        PHP_INI_ENTRY("disable_classes",                        "",             
        PHP_INI_SYSTEM,         NULL)
 
        STD_PHP_INI_BOOLEAN("allow_url_fopen",          "1",            
PHP_INI_SYSTEM,         OnUpdateBool,                   allow_url_fopen,        
                php_core_globals,       core_globals)
+       STD_PHP_INI_BOOLEAN("allow_url_include",                "0",            
PHP_INI_SYSTEM,         OnUpdateBool,                   allow_url_include,      
                php_core_globals,       core_globals)
        STD_PHP_INI_BOOLEAN("always_populate_raw_post_data",            "0",    
        PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateBool,                   
always_populate_raw_post_data,                  php_core_globals,       
core_globals)
 #ifdef REALPATH_CACHE
        STD_PHP_INI_ENTRY("realpath_cache_size", "16K", PHP_INI_SYSTEM, 
OnUpdateLong, realpath_cache_size_limit, virtual_cwd_globals, cwd_globals)
http://cvs.php.net/diff.php/php-src/main/php_globals.h?r1=1.98&r2=1.99&ty=u
Index: php-src/main/php_globals.h
diff -u php-src/main/php_globals.h:1.98 php-src/main/php_globals.h:1.99
--- php-src/main/php_globals.h:1.98     Wed Aug  3 10:08:33 2005
+++ php-src/main/php_globals.h  Fri Nov 18 11:20:43 2005
@@ -16,7 +16,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: php_globals.h,v 1.98 2005/08/03 14:08:33 sniper Exp $ */
+/* $Id: php_globals.h,v 1.99 2005/11/18 16:20:43 rasmus Exp $ */
 
 #ifndef PHP_GLOBALS_H
 #define PHP_GLOBALS_H
@@ -150,6 +150,7 @@
 
        char *disable_functions;
        char *disable_classes;
+       zend_bool allow_url_include;
 };
 
 
http://cvs.php.net/diff.php/php-src/main/streams/streams.c?r1=1.89&r2=1.90&ty=u
Index: php-src/main/streams/streams.c
diff -u php-src/main/streams/streams.c:1.89 php-src/main/streams/streams.c:1.90
--- php-src/main/streams/streams.c:1.89 Wed Oct  5 17:46:28 2005
+++ php-src/main/streams/streams.c      Fri Nov 18 11:20:43 2005
@@ -19,7 +19,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: streams.c,v 1.89 2005/10/05 21:46:28 tony2001 Exp $ */
+/* $Id: streams.c,v 1.90 2005/11/18 16:20:43 rasmus Exp $ */
 
 #define _GNU_SOURCE
 #include "php.h"
@@ -2205,7 +2205,7 @@
                return &php_plain_files_wrapper;
        }
 
-       if (wrapper && wrapper->is_url && !PG(allow_url_fopen)) {
+       if ((wrapper && wrapper->is_url) && (!PG(allow_url_fopen) || (options & 
STREAM_OPEN_FOR_INCLUDE) && !PG(allow_url_include)) ) {
                if (options & REPORT_ERRORS) {
                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "URL 
file-access is disabled in the server configuration");
                }

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to