As of PHP 4.3.4, allow_url_fopen defaults was changed from INI_ALL to
INI_SYSTEM.
This change should be reverted, because
1) INI_SYSTEM disables to patch vulnerable application by adding ini_set().
ini_set('allow_url_fopen', 0);
// some dangerous include/require statement
ini_set('allow_url_fopen', 1); // reenable if allow_url_fopen is required
2) programmers should be able to control if program allowed to access
remote files or not and should be able to enable/disable allow_url_fopen
_only_ where the feature is needed.
allow_url_fopen should not be site wide configuration for security seasons.
Preferred solution would be
1) change allow_url_fopen to INI_ALL
2) disable allow_url_fopen by default
I would like to see these changes in PHP 5.1 and PHP 4.4, since this
is security related changes.
--
Yasuo Ohgaki
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
