I think this is fine. - Stig
On Tue, 2002-04-16 at 19:06, Wez Furlong wrote: > There is currently (and probably has been for quite a few releases) a > crash bug where allow_url_fopen can not be set on a per-virtual host basis. > That's because wrappers are only initialized on module init if > PG(allow_url_fopen) is set, rather than request init. > > I plan to change it so that wrappers are *always* initialized. > > So that the allow_url_fopen setting is respected, I'm adding an is_url > field to the wrapper structure. If a wrapper has this field set and > PG(allow_url_fopen) is not set, the streams system will display a warning > stating that URLs are not allowed. > > Now, the question is: was the original intention of the allow_url_fopen > setting to prevent people from running scripts that contact the network? > If so, it would be OK to have the zlib, bzip2 and user-space wrappers > classed as not being a url for the purposes of this security/policy check? > > Heres a chart summarizing the new behaviour: > > wrapper allow_url_fopen=on allow_url_fopen=off > ==================================================== > http allowed disallowed > ftp allowed disallowed > bzip2 allowed allowed > zlib allowed allowed > user allowed allowed > > user-space streams could potentially access the network using > fsockopen etc., but I don't think this is an issue because the > admin can then disable the use of that function as well. > > Are there any reasons against this? > > --Wez. > > -- > Wez Furlong > The Brain Room Ltd. > > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
