Hi all,
The "Migrating from PHP 7.3.x to 7.4.x"
(https://www.php.net/manual/en/migration74.deprecated.php) mentions the
deprecation of the php.ini entry 'allow_url_include*'*, but does not
give any explanation on the consequences.
Google only pointed me to several Stackoverflow links that stated to
simply remove it or to sett it to 'off', but nobody explained if this
has any side effects/consequences.
So I come here to ask if you can help me:
Is it now on/off by default?
Did PHP remove the functionality completely?
Is there an alternative configuration flag?
I am aware that there are security issues with allow_url_include as
mentioned in RFC https://wiki.php.net/rfc/allow_url_include, but this
RFC was closed without removing it.
Is there anything that developers need to do/know when simply removing
the flag from PHP.ini?
Why do I ask here and not simply try?
The reason why I am asking is because will get an issue in one module of
the DVWA project (https://github.com/digininja/DVWA/pulse) and I am not
familiar enough with this part to distinguish an hidden error from the
intended way this module should work. On the first blink it seems to be
okay, but I would like to be sure.
And also this is a documentation issue. A deprecation announcement
should have at least two sentences about the consequences and on what to
do if you are affected.
Kind regards
Felix Mues
P.S.: This is my First try posting to a developer mailing list. I hope
this will not end up in several duplicated mails.
