On woansdei 5 Maaie 2010, Raphael Geissert wrote: > On Sunday 02 May 2010 05:47:13 Toni Mueller wrote: > > I suggest that this be changed to > > > > > > > > allow_url_fopen = Off > > > > > > > > to reduce the change of PHP applications being exploited, and, if you > > really need to, place a big flashing warning around it to warn users > > from changing it to "On" again. > > > > > > No, there are fair use cases for using stream wrappers and making this > change would break many applications. > > Feel free to take this upstream and make the change happen there.
Note that since PHP5 include/require have a separate allow_url_include parameter which *does* default to Off, making having allow_url_fopen On a lot less of a risk as it has been in the 4.x era. Cheers, Thijs
signature.asc
Description: This is a digitally signed message part.
