Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:16925 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 11087 invoked by uid 1010); 27 Jun 2005 07:29:13 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 11071 invoked from network); 27 Jun 2005 07:29:12 -0000 Received: from unknown (HELO php.net) (127.0.0.1) by localhost with SMTP; 27 Jun 2005 07:29:12 -0000 X-Host-Fingerprint: 82.94.239.5 jdi.jdi-ict.nl Linux 2.5 (sometimes 2.4) (4) Received: from ([82.94.239.5:38947] helo=jdi.jdi-ict.nl) by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP id DB/74-00424-7CAAFB24 for ; Mon, 27 Jun 2005 03:29:11 -0400 Received: from localhost (localhost [127.0.0.1]) by jdi.jdi-ict.nl (8.12.11/8.12.11) with ESMTP id j5R7T8PW017078 for ; Mon, 27 Jun 2005 09:29:08 +0200 Received: from localhost (localhost [127.0.0.1]) by jdi.jdi-ict.nl (8.12.11/8.12.11) with ESMTP id j5R7T6k0017065; Mon, 27 Jun 2005 09:29:07 +0200 Date: Mon, 27 Jun 2005 09:29:06 +0200 (CEST) X-X-Sender: derick@localhost To: Stefan Esser cc: PHP Developers Mailing List In-Reply-To: <42BFA99D.70004@php.net> Message-ID: References: <42BDDC82.6020208@ohgaki.net> <01.6A.54439.491DEB24@pb1.pair.com> <20050626164101.GA11586@dune> <42BEE432.6090307@teh.ath.cx> <20050626175638.GB11586@dune> <42BEEED1.6010602@php.net> <42BF9A46.4060108@ohgaki.net> <42BFA99D.70004@php.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by amavisd-new at jci-ict.nl Subject: Re: [PHP-DEV] Re: allow_url_fopen should be INI_ALL From: derick@php.net (Derick Rethans) On Mon, 27 Jun 2005, Stefan Esser wrote: > From my point of view it would have been better to have another ini directive > like allow_url_includes that defaults to off. However under no circumstances > allow_url_fopen can be turned back to INI_ALL. An admin has to decide if he > allows any kind of access to remote files and this is his only way to achieve > disabling remote file wrappers. > > Without a new ini directive I only see the possibility to build an emulation > layer: > > Sys: allow_url_fopen = Off -> User: ini_set("allow_url_fopen",1) fails > Sys: allow_url_fopen = On -> User: ini_set("allow_url_fopen",0/1) works You can use in httpd.conf: php_admin_value allow_url_fopen 0 which users can not override already... so I don't see the point of implementing the behavior that you have (otherwise it's a good idea). What we should perhaps do is revert the change that made allow_url_fopen back to INI_ALL... regards, Derick -- Derick Rethans http://derickrethans.nl | http://ez.no | http://xdebug.org