Bug#399259: [php-maint] Bug#399258: php5: Turn off allow_url_fopen by default

[Steve Langasek]

On Sun, Nov 19, 2006 at 03:58:15AM +0700, David Garamond wrote:

> Allow_url_fopen is nowadays by far the prominent cause of web exploits
> (remote file vulnerability in PHP web applications).

The most prominent cause of web exploits is that idiots are allowed to write
web applications.  Everything else is damage control.

> As an active security measure, I suggest we disable this option by default
> in PHP, not just php.ini, because in some systems a hosting user is
> allowed to have their own php.ini which might be old/not updated. The PHP
> team is also considering turning this option off by default.

I don't think Debian needs to second-guess the PHP Team in this case.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon at debian.org                                   http://www.debian.org/