Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16928
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 14580 invoked by uid 1010); 27 Jun 2005 07:32:13 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 14565 invoked from network); 27 Jun 2005 07:32:13 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 27 Jun 2005 07:32:13 -0000
X-Host-Fingerprint: 204.11.219.139 lerdorf.com Linux 2.4/2.6
Received: from ([204.11.219.139:54350] helo=colo.lerdorf.com)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id 49/15-00424-C7BAFB24 for <internals@lists.php.net>; Mon, 27 Jun 2005 03:32:12 -0400
Received: from [192.168.0.55] (a84-231-128-8.elisa-laajakaista.fi [84.231.128.8])
	(authenticated bits=0)
	by colo.lerdorf.com (8.13.4/8.13.4/Debian-3) with ESMTP id j5R7W5XP014232
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Mon, 27 Jun 2005 00:32:07 -0700
Message-ID: <42BFAB75.4090103@lerdorf.com>
Date: Mon, 27 Jun 2005 10:32:05 +0300
User-Agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Derick Rethans <derick@php.net>
CC: Stefan Esser <sesser@php.net>,
	PHP Developers Mailing List <internals@lists.php.net>
References: <42BDDC82.6020208@ohgaki.net> <01.6A.54439.491DEB24@pb1.pair.com>	<20050626164101.GA11586@dune> <42BEE432.6090307@teh.ath.cx>	<20050626175638.GB11586@dune> <42BEEED1.6010602@php.net> <42BF9A46.4060108@ohgaki.net>	<42BFA99D.70004@php.net> <Pine.LNX.4.62.0506270926490.14983@localhost>
In-Reply-To: <Pine.LNX.4.62.0506270926490.14983@localhost>
X-Enigmail-Version: 0.91.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] Re: allow_url_fopen should be INI_ALL
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Derick Rethans wrote:
> On Mon, 27 Jun 2005, Stefan Esser wrote:
> 
> 
>>From my point of view it would have been better to have another ini directive
>>like allow_url_includes that defaults to off. However under no circumstances
>>allow_url_fopen can be turned back to INI_ALL. An admin has to decide if he
>>allows any kind of access to remote files and this is his only way to achieve
>>disabling remote file wrappers.
>>
>>Without a new ini directive I only see the possibility to build an emulation
>>layer:
>>
>>Sys: allow_url_fopen = Off  ->  User: ini_set("allow_url_fopen",1) fails
>>Sys: allow_url_fopen = On -> User: ini_set("allow_url_fopen",0/1) works
> 
> 
> You can use in httpd.conf:
> php_admin_value allow_url_fopen 0
> 
> which users can not override already... so I don't see the point of 
> implementing the behavior that you have (otherwise it's a good idea).
> 
> What we should perhaps do is revert the change that made allow_url_fopen 
> back to INI_ALL...

Yikes, when did that happen?  I have been out of Internet reach in the
wilds of Finland for a few days, so I missed a bunch of stuff, but
making allow_url_fopen an INI_ALL option seems like a fantastically bad
idea.  Admins should be able to control such settings.

-Rasmus