[php-maint] Bug#579922: Bug#579922: libapache2-mod-php5: change allow_url_fopen = Off
Thijs Kinkhorst
thijs at debian.org
Sun Aug 29 11:11:29 UTC 2010
On woansdei 5 Maaie 2010, Raphael Geissert wrote:
> On Sunday 02 May 2010 05:47:13 Toni Mueller wrote:
> > I suggest that this be changed to
> >
> >
> >
> > allow_url_fopen = Off
> >
> >
> >
> > to reduce the change of PHP applications being exploited, and, if you
> > really need to, place a big flashing warning around it to warn users
> > from changing it to "On" again.
> >
> >
>
> No, there are fair use cases for using stream wrappers and making this
> change would break many applications.
>
> Feel free to take this upstream and make the change happen there.
Note that since PHP5 include/require have a separate allow_url_include
parameter which *does* default to Off, making having allow_url_fopen On a lot
less of a risk as it has been in the 4.x era.
Cheers,
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 490 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-php-maint/attachments/20100829/e93d5000/attachment-0001.pgp>
More information about the pkg-php-maint
mailing list