Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16923 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 8205 invoked by uid 1010); 27 Jun 2005 07:24:32 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 8190 invoked from network); 27 Jun 2005 07:24:32 -0000 Received: from unknown (HELO php.net) (127.0.0.1) by localhost with SMTP; 27 Jun 2005 07:24:32 -0000 X-Host-Fingerprint: 81.169.145.165 natsmtp00.rzone.de Solaris 8 (1) Received: from ([81.169.145.165:49245] helo=natsmtp00.rzone.de) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id 4F/04-00424-EA9AFB24 for ; Mon, 27 Jun 2005 03:24:31 -0400 Received: from [192.168.1.77] (p50873A0A.dip.t-dialin.net [80.135.58.10]) by post.webmailer.de (8.13.1/8.13.1) with ESMTP id j5R7OEYF014786; Mon, 27 Jun 2005 09:24:15 +0200 (MEST) Message-ID: <42BFA99D.70004@php.net> Date: Mon, 27 Jun 2005 09:24:13 +0200 User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Yasuo Ohgaki CC: messju mohr , Matthew Charles Kavanagh , internals@lists.php.net References: <42BDDC82.6020208@ohgaki.net> <01.6A.54439.491DEB24@pb1.pair.com> <20050626164101.GA11586@dune> <42BEE432.6090307@teh.ath.cx> <20050626175638.GB11586@dune> <42BEEED1.6010602@php.net> <42BF9A46.4060108@ohgaki.net> In-Reply-To: <42BF9A46.4060108@ohgaki.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Re: allow_url_fopen should be INI_ALL From: sesser@php.net (Stefan Esser) > I think most of us can agree following statement > > "allow_url_fopen = ON" is dangerous and the feature is not > useful most of the times. No, allow_url_fopen = ON is not dangerous and it is a very useful feature when you want to fopen() a remote URL. What you may consider dangerous is that URLs work with include/require. I was always against such nonsense, because it is actually always bad to require a remote file. No matter if its over the internet or in a vpn/intranet. From my point of view it would have been better to have another ini directive like allow_url_includes that defaults to off. However under no circumstances allow_url_fopen can be turned back to INI_ALL. An admin has to decide if he allows any kind of access to remote files and this is his only way to achieve disabling remote file wrappers. Without a new ini directive I only see the possibility to build an emulation layer: Sys: allow_url_fopen = Off -> User: ini_set("allow_url_fopen",1) fails Sys: allow_url_fopen = On -> User: ini_set("allow_url_fopen",0/1) works Stefan -- -------------------------------------------------------------------------- Stefan Esser sesser@php.net Hardened-PHP Project http://www.hardened-php.net/ GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78 Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 --------------------------------------------------------------------------