php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #30557 Disabled "allow_url_fopen" in php.ini
Submitted: 2004-10-26 09:30 UTC Modified: 2004-10-26 09:53 UTC
From: php at bouchery dot com Assigned:
Status: Wont fix Package: Feature/Change Request
PHP Version: Irrelevant OS: all
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: php at bouchery dot com
New email:
PHP Version: OS:

 

 [2004-10-26 09:30 UTC] php at bouchery dot com
Description:
------------
Currently, there are too many people writing news and blogs about the "huge" PHP security hole introduce by "include" and "allow_url_fopen". This mistake is so simple to avoid, but beginners are not so informs and I think it could be simplest to disable this option (allow_url_fopen) in the default php.ini.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-10-26 09:50 UTC] derick@php.net
Sorry, but we can not simply change the default value as there might be scripts out there that rely on this; and we can not simply break them.
 [2004-10-26 09:53 UTC] php at bouchery dot com
hmmm ... we did it with "register_globals", isn't it ?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC