At 10:24 27/06/2005, Stefan Esser wrote:
I think most of us can agree following statement
"allow_url_fopen = ON" is dangerous and the feature is not
useful most of the times.
No, allow_url_fopen = ON is not dangerous and it is a very useful feature
when you want to fopen() a remote URL. What you may consider dangerous is
that URLs work with include/require. I was always against such nonsense,
because it is actually always bad to require a remote file. No matter if
its over the internet or in a vpn/intranet.
From my point of view it would have been better to have another ini
directive like allow_url_includes that defaults to off. However under no
circumstances allow_url_fopen can be turned back to INI_ALL. An admin has
to decide if he allows any kind of access to remote files and this is his
only way to achieve disabling remote file wrappers.
Without a new ini directive I only see the possibility to build an
emulation layer:
Sys: allow_url_fopen = Off -> User: ini_set("allow_url_fopen",1) fails
Sys: allow_url_fopen = On -> User: ini_set("allow_url_fopen",0/1) works
I agree with everything you said.
Zeev
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
