Stanislav Malyshev wrote: >> allow_url_(include|fopen) applies to them. As such, because >> allow_url_(include|fopen) are disabled by default in PHP 6, this will > > Disabling allow_url_fopen by default is the second mistake. What's wrong > with it? Wasn't the sole reason for having allow_url_include to allow > url_fopen work while protecting includes? Oh yes, somebody could say > fopen+eval. So, somebody could also say curl_open+eval, so what?
I'm on a really crappy connection in China right now, so I haven't read the whole thread, but this caught my eye. Since when is allow_url_fopen disabled by default? It certainly isn't in my PHP6 checkout from a couple of days ago. And it shouldn't be disabled by default. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
