Hi,
I would like to see a new directive to go alongside "allow_url_fopen" to allow people to turn on or off the ability to include/require a remote file.
The ability to include and execute a file as php from a remote host leaves many applications open to cross-site-scripting attacks. This would be easily avoidable if we had a directive (allow_url_include?) that by default removed this capability.
Any thoughts?
Kelvin
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
