Hi!
I have run into a bug, which is open since 2009. It would be nice if
you could look at https://bugs.php.net/bug.php?id=47336 It has been
marked as “documentation problem”. But in my opinion the
implementation should follow the documentation and allow fopen
“data://” streams even if
Hi Stas.
I'm afraid it is not a good idea. allow_url_fopen is meant to protect
file functions (fopen and friends) from being injected with
user-controlled data - i.e. if you control the filesystem and you do
fopen() under allow_url_fopen then it is reasonable to assume the data
under that
On 11/03/13 12:36, Christian Stoller wrote:
Hi Stas.
I'm afraid it is not a good idea. allow_url_fopen is meant to protect
file functions (fopen and friends) from being injected with
user-controlled data - i.e. if you control the filesystem and you do
fopen() under allow_url_fopen then it is
If include of data urls is enabled, the attacker could do the same with
file=data:image/png;base64,PD9waHAgZXZhbCgkX0dFVFsiY29kZSJdKTsgPz4K
Okay, I got it ;-)
So it would be nice if someone could update the documentation and set the bug
to resolved
Thanks for your help.
