KJ wrote: >> >> Basically this particular case boils down to: "files that are included >> and >> should not a be called directly" should not be allowed to be called >> directly. >> >> You can do this at the application level whereby each included file >> checks >> whether it was called directly and refuse to run when that is so. >> >> Or you can do this on a system level and tell your webserver not to >> allow >> access to particular files or directories. > > Yes, you could do either of the above. > > I don't have an issue with solutions that PHP (or Apache) provide for > avoiding this problem. I DO have an issue with the fact that this > problem is caused by a single "feature" is probably not used by many and > should be able to be turned off, much like register globals. > > Forget possible solutions and work arounds for one moment; when I > download and install a popular application, I don't go through every bit > of source code to check if these workarounds have been applied. I would > much rather set a allow_url_include flag to "off", and not have to worry > about that. There are plenty of things you need to worry about when > hosting, and this would create one less.
Call me silly, but... If you don't check the source code, and you think they might be using include "http://";... What's the difference between that and not checking all the zillion things your customers might do that's about 100 X as stupid? Seems to me you're expending a fair amount of 'worry' over something that, given that you're not checking their source in the first place, is kind of meaningless... Not that I'm suggesting that you *SHOULD* be checking their source -- Only that the risk you take as part and parcel of your business is untrusted users putting code on your machine. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
