I agree that we need to improve the overall level of security in PHP,
but I am not sure that focusing on allow_url_fopen is very constructive.
There are far far more web sites that have these other unfiltered user
data issues than have url_fopen issues.
I agree with Rasmus. Remote URL Includes are dieing out. They are not as
common as they were some time ago. Most released advisories are SQL
Injections nowadays and well maybe Russells next mail says:
mysql_query() considered harmful.
Ohh btw... Many remote url include holes nowadays are only exploitable
with register_globals=On. And here again you may blame PHP because it
allows an attacker to change the content of unitialized variables.
(Which can also be achieved in C programs, by populating the stack with
values you want through other code paths).
But I blame the programmers for not initializing their variables
correctly. Not filtering user input...
Ohhh btw Russell, if you really consider include harmful, then simply
install the Hardening-Patch for PHP and live with it. Several big
hosters already use it, and it disallows any remote includes, beside
other include tricks.
Stefan
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
