> If include of data urls is enabled, the attacker could do the same with
> &file=data:image/png;base64,PD9waHAgZXZhbCgkX0dFVFsiY29kZSJdKTsgPz4K
Okay, I got it ;-)
So it would be nice if someone could update the documentation and set the bug
to "resolved"
Thanks for your help.
On 11/03/13 12:36, Christian Stoller wrote:
> Hi Stas.
>> I'm afraid it is not a good idea. allow_url_fopen is meant to protect
>> file functions (fopen and friends) from being injected with
>> user-controlled data - i.e. if you control the filesystem and you do
>> fopen() under allow_url_fopen the
Hi Stas.
> I'm afraid it is not a good idea. allow_url_fopen is meant to protect
> file functions (fopen and friends) from being injected with
> user-controlled data - i.e. if you control the filesystem and you do
> fopen() under allow_url_fopen then it is reasonable to assume the data
> under tha
Hi!
> I have run into a bug, which is open since 2009. It would be nice if
> you could look at https://bugs.php.net/bug.php?id=47336 It has been
> marked as “documentation problem”. But in my opinion the
> implementation should follow the documentation and allow fopen
> “data://” streams even if “
Dear PHP developers,
I have run into a bug, which is open since 2009. It would be nice if you could
look at https://bugs.php.net/bug.php?id=47336
It has been marked as “documentation problem”. But in my opinion the
implementation should follow the documentation and allow fopen “data://”
streams
