ID: 25461 User updated by: ashley at netcraft dot com dot au Reported By: ashley at netcraft dot com dot au Status: Bogus Bug Type: Feature/Change Request Operating System: Linux PHP Version: 4.3.3 New Comment:
I know there's an option for it, but it should come with a warning that it also enables url's on include/require. Previous Comments: ------------------------------------------------------------------------ [2003-09-09 21:02:31] [EMAIL PROTECTED] Search php.ini-dist (or php.ini-recommended) for "allow_url_fopen" directive. ------------------------------------------------------------------------ [2003-09-09 19:48:43] ashley at netcraft dot com dot au Description: ------------ I think it's highly insecure that 'include' and 'require' support http:// url's by default. Why would you want to execute arbitrary code from another web page? I have seen many sites where they are exploitable because they do require $page. ".php"; Although this is bad programming, it's still insecure to allow http url's by default. Also, I'd strongly suggest never using http includes unless you control the DNS for the domain of the site you are connecting to. Otherwide the hostname could be changed over to a different page. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=25461&edit=1
