I thought we also decided to default user streams to be marked as insecure with some mechanism for overriding it.
-Rasmus Ilia Alshanetsky wrote: > Marcus, > > You want to use an INI setting to specify which streams are local and > which are remote? That seems like a recipe for disaster to me, people > adjusting this setting many not consider some streams that are remote > etc... leading to security holes. There is really no reason why PHP > could not effectively use flags internally to identify the difference > between the two sources of streams. Ultimately it'll always fall to the > extension writer, same as with open_basedir, which author can choose to > bypass if they so choose to. > > The main issue here is I think is that is_url flag is new and there are > many extensions providing remote wrapper that have been written prior to > its addition and therefor do not have a proper setting in place, which > may have been added in a hurry to solve a compilation failure. > > On 13-Jan-07, at 12:13 PM, Marcus Boerger wrote: > >> Hello Stefan, >> >> i also think something should be done here. The is_url flag does not >> really help. What we imho need is an ini setting that allows specifying >> which stream handlers to allow. And that should not include user streams. >> >> best regards >> marcus > > Ilia Alshanetsky > > > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
