Hi Stas. > I'm afraid it is not a good idea. allow_url_fopen is meant to protect > file functions (fopen and friends) from being injected with > user-controlled data - i.e. if you control the filesystem and you do > fopen() under allow_url_fopen then it is reasonable to assume the data > under that filename is under your control. However, data:// URLs clearly > violate this assumption no less than http:// URLs do - data: just does > it without even requiring a web server.
I am unsure whether I understand you. As far as I know with the data:// stream PHP does not access any file on the filesystem. It's just for transforming normal content in a variable to a resource, or not? So I do not see any risk. Maybe you can give me an example.
