Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16914
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79263 invoked by uid 1010); 27 Jun 2005 06:18:49 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 79230 invoked from network); 27 Jun 2005 06:18:48 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 27 Jun 2005 06:18:48 -0000
X-Host-Fingerprint: 219.166.150.11 mx1.es-i.jp Linux 2.4 w/o timestamps
Received: from ([219.166.150.11:58575] helo=mx1.es-i.jp)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id AF/B0-00424-34A9FB24 for <internals@lists.php.net>; Mon, 27 Jun 2005 02:18:44 -0400
Received: (qmail 9375 invoked by uid 501); 27 Jun 2005 06:18:38 -0000
Received: from yohgaki@ohgaki.net by mx1.es-i.jp by uid 401 with qmail-scanner-1.20 
	(clamscan: 0.65. spamassassin: 2.60.  Clear:RC:1(192.168.100.202):. 
	Processed in 0.014419 secs); 27 Jun 2005 06:18:38 -0000
X-Qmail-Scanner-Mail-From: yohgaki@ohgaki.net via mx1.es-i.jp
X-Qmail-Scanner: 1.20 (Clear:RC:1(192.168.100.202):. Processed in 0.014419 secs)
Received: from unknown (HELO ?127.0.0.1?) (192.168.100.202)
	by mx1.es-i.jp with SMTP; 27 Jun 2005 06:18:38 -0000
Message-ID: <42BF9A46.4060108@ohgaki.net>
Date: Mon, 27 Jun 2005 15:18:46 +0900
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: ja, en-us, en
MIME-Version: 1.0
To: Stefan Esser <sesser@php.net>
CC: messju mohr <messju@lammfellpuschen.de>, 
	Matthew Charles Kavanagh <matthew@teh.ath.cx>,
	internals@lists.php.net
References: <42BDDC82.6020208@ohgaki.net> <01.6A.54439.491DEB24@pb1.pair.com> <20050626164101.GA11586@dune> <42BEE432.6090307@teh.ath.cx> <20050626175638.GB11586@dune> <42BEEED1.6010602@php.net>
In-Reply-To: <42BEEED1.6010602@php.net>
X-Enigmail-Version: 0.92.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: allow_url_fopen should be INI_ALL
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

I think most of us can agree following statement

"allow_url_fopen = ON" is dangerous and the feature is not
useful most of the times.

Stefan Esser wrote:
>> It's not stupid to prevent them from being made. But that's not what
>> an admin does. When the admin comes into play, the application is
>> already "made" and employed. The admin just prevents it from working
>> as the
>> developer and the qa-team intended.
> 
> 
> The admin is deciding what is allowed on his system and what not. Any
> application that cannot deal with different setups is simply broken.
> 
> Same for register_globals/magic_quotes_gpc. If your application does not
> behave in the same way with any of these features turned on or off, it
> is simply broken.

I think you missed my point.

- allow_url_fopen is ON by default.
- allow_url_fopen is INI_SYSTEM directive (i.e. Cannot change this setting from script)

Obviously, current setting is not secure than

- allow_url_fopen = OFF
- allow_url_fopen = INI_ALL

Later setting is more secure and one can use allow_url_fopen feature when it is needed.

-- 
Yasuo Ohgaki