On Mon, November 6, 2006 09:55, Richard Quadling wrote: > I develop solely on and for our Windows network. I regularly use > includes on 2 different servers via \\ rather than a mapped drive. > > I can see that adding \\ to the list of restrictions would be an issue > for me. > > But also, it is a trivial ini update to remove the problem. And it > DOES make PHP more secure. > > > So, +1 to add \\ to the list of restrictions. > > > Not so sure it would be as easy for shared host ISPs on Windows to fix > this though.
This seems to be more of a network setup issue, rather than a PHP issue. If you haven't blocked access to remote SMB servers in your network, you are asking for trouble. If you have a rogue SMB box or mount on your network, PHP is the least of your problems. You can pretty much guarantee that if people are including URLs, they are either asking for trouble or looking for it. Blocking network mounts seems to be too much of an edge case for it to be included as a feature in allow_url_include, as it might have valid uses while URLs does not. You could add a allow_remote_include option, but that would require another INI option, and those aren't so popular :) My two cents // Tom -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
