Derick Rethans wrote:
> On Mon, 27 Jun 2005, Stefan Esser wrote:
>
>
>>From my point of view it would have been better to have another ini directive
>>like allow_url_includes that defaults to off. However under no circumstances
>>allow_url_fopen can be turned back to INI_ALL. An admin has to decide if he
>>allows any kind of access to remote files and this is his only way to achieve
>>disabling remote file wrappers.
>>
>>Without a new ini directive I only see the possibility to build an emulation
>>layer:
>>
>>Sys: allow_url_fopen = Off -> User: ini_set("allow_url_fopen",1) fails
>>Sys: allow_url_fopen = On -> User: ini_set("allow_url_fopen",0/1) works
>
>
> You can use in httpd.conf:
> php_admin_value allow_url_fopen 0
>
> which users can not override already... so I don't see the point of
> implementing the behavior that you have (otherwise it's a good idea).
>
> What we should perhaps do is revert the change that made allow_url_fopen
> back to INI_ALL...
Yikes, when did that happen? I have been out of Internet reach in the
wilds of Finland for a few days, so I missed a bunch of stuff, but
making allow_url_fopen an INI_ALL option seems like a fantastically bad
idea. Admins should be able to control such settings.
-Rasmus
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
