Hello Stanislav, why then not have ini as follows: allow_url_(fopen|include)_(local|user|remote) That is 6 for the six cases - or is that too easy? We could also have the _remote case be an alias to keep the old style and have full consistency.
best regards marcus Wednesday, May 30, 2007, 2:16:30 AM, you wrote: > According to the plan below, attached is the patch that restricts user > streams from executing dangerous operations inside include context. > Please comment. >>>> I think the problem could be solved this way: >>>> 0. allow_url_include and allow_url_fopen renamed to >>>> allow_remote_include and allow_remote_fopen (not really necessary, >>>> just much cleaner, if you don't like it, ignore it for now). >>>> 1. By default, allow_remote_inclue=0, allow_remote_fopen=1 >>>> 2. Stream can be of three types - remote, local and user/local. >>>> 3. User streams can be declared when registered as either remote or >>>> user/local, remote being the default. >>>> 4. When operation on user/local stream is run, allow_remote_fopen is >>>> disabled if allow_remote_include was disabled. Best regards, Marcus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
