Bug#399259: [php-maint] Bug#399258: php5: Turn off allow_url_fopen by
default
Steve Langasek
vorlon at debian.org
Sun Nov 19 01:05:30 CET 2006
On Sun, Nov 19, 2006 at 03:58:15AM +0700, David Garamond wrote:
> Allow_url_fopen is nowadays by far the prominent cause of web exploits
> (remote file vulnerability in PHP web applications).
The most prominent cause of web exploits is that idiots are allowed to write
web applications. Everything else is damage control.
> As an active security measure, I suggest we disable this option by default
> in PHP, not just php.ini, because in some systems a hosting user is
> allowed to have their own php.ini which might be old/not updated. The PHP
> team is also considering turning this option off by default.
I don't think Debian needs to second-guess the PHP Team in this case.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
More information about the pkg-php-maint
mailing list