Marcus,
You want to use an INI setting to specify which streams are local and
which are remote? That seems like a recipe for disaster to me, people
adjusting this setting many not consider some streams that are remote
etc... leading to security holes. There is really no reason why PHP
could not effectively use flags internally to identify the difference
between the two sources of streams. Ultimately it'll always fall to
the extension writer, same as with open_basedir, which author can
choose to bypass if they so choose to.
The main issue here is I think is that is_url flag is new and there
are many extensions providing remote wrapper that have been written
prior to its addition and therefor do not have a proper setting in
place, which may have been added in a hurry to solve a compilation
failure.
On 13-Jan-07, at 12:13 PM, Marcus Boerger wrote:
Hello Stefan,
i also think something should be done here. The is_url flag does not
really help. What we imho need is an ini setting that allows
specifying
which stream handlers to allow. And that should not include user
streams.
best regards
marcus
Ilia Alshanetsky
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
