On 16-Jan-07, at 8:07 PM, Sara Golemon wrote:
allow_url_include has been bashed lately for being "not good enough", and there is a kernel of truth to that, though where the ultimate blame falls if of course a touchy subject.
Not really, I mean is it so difficult to expect the extension writer to know that if they are working with remote streams that they should set is_url to 1 rather then 0.
So rather than continue the fight over who's shoulders the job of security should fall on, how about the attached patch which puts a little more power in the hands of the user/site-admin to control what can be treated as a url include, and how it can be treated that way.
I do not think that this is a good idea. Controlling security settings via INI is just a recipe for disaster and will only lead to problem due to poor configuration choices. Basically you are moving the "blame" from extension writers that provide stream wrappers (fairly limited group) onto a far larger group of users.
Ilia Alshanetsky -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
