> Allow_url_fopen is nowadays by far the prominent cause of web exploits > (remote file vulnerability in PHP web applications).
That knowledge used to be true when we had PHP4, but I believe its risks are a lot smaller with PHP5, where this setting does not apply to include() and require() calls. Those calls were the most prominent cause of exploits. > As an active > security measure, I suggest we disable this option by default in PHP, > not just php.ini, Turning it off by default, hardcoding it is really not Debian's job here, the choice is left to the administrator on how to handle that. cheers, Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
