Stefan Esser writes here: http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html
that allow_url_include (and allow_url_fopen) can be easily worked around - i.e. extrenally-supplied code executed on server - by using php: and data: URLs. I think if we want allow_url_include have any value than we should fix it... What do you think?
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
