On Sun, Nov 19, 2006 at 03:58:15AM +0700, David Garamond wrote:

> Allow_url_fopen is nowadays by far the prominent cause of web exploits
> (remote file vulnerability in PHP web applications).

The most prominent cause of web exploits is that idiots are allowed to write
web applications.  Everything else is damage control.

> As an active security measure, I suggest we disable this option by default
> in PHP, not just php.ini, because in some systems a hosting user is
> allowed to have their own php.ini which might be old/not updated. The PHP
> team is also considering turning this option off by default.

I don't think Debian needs to second-guess the PHP Team in this case.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
[EMAIL PROTECTED]                                   http://www.debian.org/


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to