Yasuo Ohgaki writes: > 1) change allow_url_fopen to INI_ALL > 2) disable allow_url_fopen by default > > I would like to see these changes in PHP 5.1 and PHP 4.4, since this > is security related changes.
What problem are you trying to solve? Attacks against the very common misuse of: include "http://example.com/hostile.php"; ? Or attacks against a graphics library: getimagesize("http://example.com/hostile.jpg";) or XML parser: simplexml_load_file("http://example.com/hostile.xml";) Derick Rethans writes: > I disagree. With proper filtering, or using non-user-supplied > information there is no problem. The problem is that naive programmers think there is no problem withOUT proper filtering. The sharp edges of 'include' are not visible enough. I'll bet you that people would not use 'include' and 'includeremotehostilecode' in the identical manner. -- --My blog is at blog.russnelson.com | If you want to find Crynwr sells support for free software | PGPok | injustice in economic 521 Pleasant Valley Rd. | +1 315-323-1241 | affairs, look for the Potsdam, NY 13676-3213 | | hand of a legislator. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
![http://example.com/hostile.jpg"](http://example.com/hostile.jpg"){kind=link}