Hi all,
The "Migrating from PHP 7.3.x to 7.4.x" (https://www.php.net/manual/en/migration74.deprecated.php) mentions the deprecation of the php.ini entry 'allow_url_include*'*, but does not give any explanation on the consequences.
Google only pointed me to several stackoverflow links that stated to simply remove it or to sett it to 'off', but nobody explained if this has any side effects/consequences.
So I come here to ask if you can help me:
Is it now on/off by default?
Did PHP remove the functionality completely?
Is there an alternative configuration flag?
I am aware that there are security issues with allow_url_include as mentioned in RFC https://wiki.php.net/rfc/allow_url_include, but this RFC was closed without removing it.
Is there anything that developers need to do/know when simply removing the flag from PHP.ini?
Why do I ask here and not simply try?
The reason why I am asking is because will get an issue in one module of the DVWA project (https://github.com/digininja/DVWA/pulse) and I am not familiar enough with this part to distinguish an hidden error from the intended way this module should work. On the first blink it seems to be okay, but I would like to be sure.
And also this is a documentation issue. A deprecation announcement should have at least two sentences about the consequences and on what to do if you are affected.
Kind regards
Felix Mues
The "Migrating from PHP 7.3.x to 7.4.x" (https://www.php.net/manual/en/migration74.deprecated.php) mentions the deprecation of the php.ini entry 'allow_url_include*'*, but does not give any explanation on the consequences.
Google only pointed me to several stackoverflow links that stated to simply remove it or to sett it to 'off', but nobody explained if this has any side effects/consequences.
So I come here to ask if you can help me:
Is it now on/off by default?
Did PHP remove the functionality completely?
Is there an alternative configuration flag?
I am aware that there are security issues with allow_url_include as mentioned in RFC https://wiki.php.net/rfc/allow_url_include, but this RFC was closed without removing it.
Is there anything that developers need to do/know when simply removing the flag from PHP.ini?
Why do I ask here and not simply try?
The reason why I am asking is because will get an issue in one module of the DVWA project (https://github.com/digininja/DVWA/pulse) and I am not familiar enough with this part to distinguish an hidden error from the intended way this module should work. On the first blink it seems to be okay, but I would like to be sure.
And also this is a documentation issue. A deprecation announcement should have at least two sentences about the consequences and on what to do if you are affected.
Kind regards
Felix Mues