I think most of us can agree following statement
"allow_url_fopen = ON" is dangerous and the feature is not
useful most of the times.
No, allow_url_fopen = ON is not dangerous and it is a very useful
feature when you want to fopen() a remote URL. What you may consider
dangerous is that URLs work with include/require. I was always against
such nonsense, because it is actually always bad to require a remote
file. No matter if its over the internet or in a vpn/intranet.
From my point of view it would have been better to have another ini
directive like allow_url_includes that defaults to off. However under no
circumstances allow_url_fopen can be turned back to INI_ALL. An admin
has to decide if he allows any kind of access to remote files and this
is his only way to achieve disabling remote file wrappers.
Without a new ini directive I only see the possibility to build an
emulation layer:
Sys: allow_url_fopen = Off -> User: ini_set("allow_url_fopen",1) fails
Sys: allow_url_fopen = On -> User: ini_set("allow_url_fopen",0/1) works
Stefan
--
--------------------------------------------------------------------------
Stefan Esser [EMAIL PROTECTED]
Hardened-PHP Project http://www.hardened-php.net/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78
Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78
--------------------------------------------------------------------------
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
