Stanislav Malyshev wrote: >> In my opinion, it would be a pity to lose the design benefits of stream >> wrappers in the effort to gain more security when security can be gained >> without losing the benefits. I think it would be good to allow >> disabling all urls as Stefan suggested, but if there is a way to >> restrict to truly local stream wrappers, I would need to be educated as >> to how this is less secure than outright disabling urls. > > The problem is, for user streams you can't be sure they are truly > local - user stream can do anything, including accessing any URLs, > without the streams layer having any say in that. They only way to > ensure that user stream is local is for the stream wrapper author to > write it local, which we can't control.
Hi, Actually, the solution I was envisioning would not allow any access to fsockopen() or other remote streams access things inside a user stream wrapper. Perhaps a patch would better illustrate what I'm talking about, so when I get a chance, I'll give it a try. Greg -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
