On Sun, Nov 19, 2006 at 03:58:15AM +0700, David Garamond wrote: > Allow_url_fopen is nowadays by far the prominent cause of web exploits > (remote file vulnerability in PHP web applications).
The most prominent cause of web exploits is that idiots are allowed to write web applications. Everything else is damage control. > As an active security measure, I suggest we disable this option by default > in PHP, not just php.ini, because in some systems a hosting user is > allowed to have their own php.ini which might be old/not updated. The PHP > team is also considering turning this option off by default. I don't think Debian needs to second-guess the PHP Team in this case. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

