On Sun, Apr 11, 2010 at 6:23 PM, Keith Roberts <ke...@karsites.net> wrote:
> Hi all. > > I've been reading about the security implications of turning > allow_url_fopen 'on' for certain PHP applications that need to read files > from a remote URL. > > To recap, please read this old article about Remote file inclusion > vulnerabilities: http://lwn.net/Articles/203904/ > > I'm just wondering if the ability to read files from a remote URL could be > moved into a set of functions dedicated to that purpose alone? Then remove > the URL reading ability from the standard file reading functions, to make > those more secure? > > The new set of remote file reading functions could be prefixed with 'url_'. > > This would make it easier to distinguish between the local file reading > functions, and those that read from remote URL's. > > So the normal fopen() function would only work on files locally, regardless > of whether allow_url_open was turned on. > > This would be a great step.... backward. Tyrael
