Hi! > I have run into a bug, which is open since 2009. It would be nice if > you could look at https://bugs.php.net/bug.php?id=47336 It has been > marked as “documentation problem”. But in my opinion the > implementation should follow the documentation and allow fopen > “data://” streams even if “allow_url_fopen” is set to “false”. > Because it is not like opening a maybe manipulated URL. > > It would be really nice if this bug could be fixed, soon.
I'm afraid it is not a good idea. allow_url_fopen is meant to protect file functions (fopen and friends) from being injected with user-controlled data - i.e. if you control the filesystem and you do fopen() under allow_url_fopen then it is reasonable to assume the data under that filename is under your control. However, data:// URLs clearly violate this assumption no less than http:// URLs do - data: just does it without even requiring a web server. -- Stanislav Malyshev, Software Architect SugarCRM: http://www.sugarcrm.com/ (408)454-6900 ext. 227 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
