On Mon, 27 Jun 2005, Stefan Esser wrote:
> From my point of view it would have been better to have another ini directive
> like allow_url_includes that defaults to off. However under no circumstances
> allow_url_fopen can be turned back to INI_ALL. An admin has to decide if he
> allows any kind of access to remote files and this is his only way to achieve
> disabling remote file wrappers.
>
> Without a new ini directive I only see the possibility to build an emulation
> layer:
>
> Sys: allow_url_fopen = Off -> User: ini_set("allow_url_fopen",1) fails
> Sys: allow_url_fopen = On -> User: ini_set("allow_url_fopen",0/1) works
You can use in httpd.conf:
php_admin_value allow_url_fopen 0
which users can not override already... so I don't see the point of
implementing the behavior that you have (otherwise it's a good idea).
What we should perhaps do is revert the change that made allow_url_fopen
back to INI_ALL...
regards,
Derick
--
Derick Rethans
http://derickrethans.nl | http://ez.no | http://xdebug.org
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
