Stanislav Malyshev wrote: > Stefan Esser writes here: > http://blog.php-security.org/archives/45-PHP-5.2.0-and-allow_url_include.html > > that allow_url_include (and allow_url_fopen) can be easily worked around > - i.e. extrenally-supplied code executed on server - by using php: and > data: URLs. I think if we want allow_url_include have any value than we > should fix it... What do you think?
Yeah, we probably should. Had a chat with Wez about it too. Here is the patch. I think this catches the cases we are interested in: http://lerdorf.com/php/is_url.diff If someone could doublecheck it against those attacks it would be helpful. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
