At 04:21 PM 7/28/2005, Ilia Alshanetsky wrote:
Zeev Suraski wrote:
At 01:50 AM 7/28/2005, Ilia Alshanetsky wrote:
Are you therefore saying SOAP support should be 100% diabled when
allow_url_fopen is off?
SOAP is not disabled, simply prevented from querying remote data sources
directly.
What exactly can you do with it other than query remote data sources?
I tend to agree with Adam (and I guess Wez) - SOAP should not be affected
by allow_url_fopen.
Why not simply make existing INI option only restrict script loading
operations such as include/require, afterall this is what it tries to
primarily prevent anyway.
That may be a good alternative. We need to figure out whether there are
any other functionality that may pose a security risk, other than
include/require of remote files - can anybody think of anything? If not,
then that's probably the best alternative:
1. Deprecate allow_url_fopens
2. Introduce allow_remote_code_execution
3. Introduce allow_remote_streams (effectively allow_url_fopens renamed,
except it doesn't affect include/require)
Zeev
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
