Hi! > The root cause of the issue here is preciseness of the setting. > I think you agree that current "allow_url_include=Off" with INI_SYSTEM is > not precise at all.
It is precise - it's doing exactly what it meant to do, separate local wrappers from remote ones. > We need to consider local and remote wrapper separately. > We may better to consider removing all remote wrapper support from > include/require. That's exactly what this setting is doing. > It's rarely used and user can execute remote script easily with PHP. > e.g. eval(readfile('http://host/script')). This setting is indeed rarely used and not recommended to enable, but since it's off by default, I assume anybody enabling it knows what they are doing. > for "allow_url_include=Off", but there may be others. If we remove most > local wrapper > support(php://input, user wrappers, etc) from include/require, we don't > need 2nd parameter. i.e. As I previously noted, php://input is considered remote already. As for others, I'm not sure why we would want to remove them. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php