I think most of us can agree following statement "allow_url_fopen = ON" is dangerous and the feature is not useful most of the times.
Stefan Esser wrote: >> It's not stupid to prevent them from being made. But that's not what >> an admin does. When the admin comes into play, the application is >> already "made" and employed. The admin just prevents it from working >> as the >> developer and the qa-team intended. > > > The admin is deciding what is allowed on his system and what not. Any > application that cannot deal with different setups is simply broken. > > Same for register_globals/magic_quotes_gpc. If your application does not > behave in the same way with any of these features turned on or off, it > is simply broken. I think you missed my point. - allow_url_fopen is ON by default. - allow_url_fopen is INI_SYSTEM directive (i.e. Cannot change this setting from script) Obviously, current setting is not secure than - allow_url_fopen = OFF - allow_url_fopen = INI_ALL Later setting is more secure and one can use allow_url_fopen feature when it is needed. -- Yasuo Ohgaki -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
