Ilia Alshanetsky wrote: > > On 5-Nov-06, at 12:13 PM, Rasmus Lerdorf wrote: >> The exact same argument could me made for a localhost >> http or ftp include which we also disallow. > > For http allowing localhost access is dangerous simply because the > person could make the script request itself making a very nasty request > loop that will instantly result in a denial of service that requires > nothing short of a web server restart to resolve.
I still think disallowing anything that in any way looks like it could be a remote include, even if under the covers it isn't, is what we should be doing here when allow_url_include is disabled. The chance of false positives doesn't change anything. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php