In my opinion, it would be a pity to lose the design benefits of stream wrappers in the effort to gain more security when security can be gained without losing the benefits. I think it would be good to allow disabling all urls as Stefan suggested, but if there is a way to restrict to truly local stream wrappers, I would need to be educated as to how this is less secure than outright disabling urls.
The problem is, for user streams you can't be sure they are truly local - user stream can do anything, including accessing any URLs, without the streams layer having any say in that. They only way to ensure that user stream is local is for the stream wrapper author to write it local, which we can't control.
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
