unread
Hi,
I would like to see a new directive to go alongside "allow_url_fopen" to
allow people to turn on or off the ability to include/require a remote file.
The ability to include and execute a file as php from a remote host
leaves many applications open to cross-site-scripting attacks.
This would be easily avoidable if we had a directive
(allow_url_include?) that by default removed this capability.
Any thoughts?
KJ
unread
Hi
I would like to see a new directive to go alongside "allow_url_fopen" to
allow people to turn on or off the ability to include/require a remote
file.
This feature is provided by hardened php:
But I absolutely +1 on this suggestion.
Daniel