Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:14033
Return-Path: <kelvinj@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 53900 invoked by uid 1010); 9 Dec 2004 10:03:21 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 53875 invoked by uid 1007); 9 Dec 2004 10:03:21 -0000
Message-ID: <20041209100321.53874.qmail@pb1.pair.com>
To: internals@lists.php.net
Date: Thu, 09 Dec 2004 10:03:20 +0000
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Posted-By: 217.207.171.252
Subject: allow_url_fopen ini directive not enough
From: kelvinj@gmail.com (KJ)

Hi,

I would like to see a new directive to go alongside "allow_url_fopen" to
allow people to turn on or off the ability to include/require a remote file.

The ability to include and execute a file as php from a remote host
leaves many applications open to cross-site-scripting attacks.
This would be easily avoidable if we had a directive
(allow_url_include?) that by default removed this capability.

Any thoughts?

KJ