> Op 19 feb. 2023 om 14:42 heeft Felix Mues <felix.mues@xxxxxxxxxxxxxx> het volgende geschreven: > > Hi all, > > The "Migrating from PHP 7.3.x to 7.4.x" (https://www.php.net/manual/en/migration74.deprecated.php) mentions the deprecation of the php.ini entry 'allow_url_include*'*, but does not give any explanation on the consequences. > Google only pointed me to several Stackoverflow links that stated to simply remove it or to sett it to 'off', but nobody explained if this has any side effects/consequences. > > So I come here to ask if you can help me: > > Is it now on/off by default? > Did PHP remove the functionality completely? > Is there an alternative configuration flag? > I am aware that there are security issues with allow_url_include as mentioned in RFC https://wiki.php.net/rfc/allow_url_include, but this RFC was closed without removing it. > > Is there anything that developers need to do/know when simply removing the flag from PHP.ini? > > Why do I ask here and not simply try? > The reason why I am asking is because will get an issue in one module of the DVWA project (https://github.com/digininja/DVWA/pulse) and I am not familiar enough with this part to distinguish an hidden error from the intended way this module should work. On the first blink it seems to be okay, but I would like to be sure. > > And also this is a documentation issue. A deprecation announcement should have at least two sentences about the consequences and on what to do if you are affected. > > Kind regards > > Felix Mues > > P.S.: This is my First try posting to a developer mailing list. I hope this will not end up in several duplicated mails. It did ;) >
