Hi!
> The root cause of the issue here is preciseness of the setting.
> I think you agree that current "allow_url_include=Off" with INI_SYSTEM is
> not precise at all.
It is precise - it's doing exactly what it meant to do, separate local
wrappers from remote ones.
> We need to consider local and remote wrapper separately.
> We may better to consider removing all remote wrapper support from
> include/require.
That's exactly what this setting is doing.
> It's rarely used and user can execute remote script easily with PHP.
> e.g. eval(readfile('http://host/script')).
This setting is indeed rarely used and not recommended to enable, but
since it's off by default, I assume anybody enabling it knows what they
are doing.
> for "allow_url_include=Off", but there may be others. If we remove most
> local wrapper
> support(php://input, user wrappers, etc) from include/require, we don't
> need 2nd parameter. i.e.
As I previously noted, php://input is considered remote already. As for
others, I'm not sure why we would want to remove them.
--
Stas Malyshev
smalys...@gmail.com
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
