ID: 29410 Updated by: [EMAIL PROTECTED] Reported By: anders at schlund dot de -Status: Open +Status: Wont fix Bug Type: Feature/Change Request Operating System: Linux PHP Version: Irrelevant New Comment:
Sorry, this won't happen. Previous Comments: ------------------------------------------------------------------------ [2004-07-27 17:46:12] anders at schlund dot de Description: ------------ The furl-wrapper enables script to open and include data from remote sites by opening an URL to that data. It is a very powerful and sometimes extremly useful extension for PHP, so almost no web host disables this feature. On the other hand, there are very often cases where insecure written scripts allow e.g. inclusion of config files from remote sites by handing a specially crafted parameter to the script. Although this is an insecurity in those scripts and not in PHP, PHP can help to change exploiting those scripts. Currently, allow_furl_open_wrapper is a system- configurable variable, i.e. the system administrator decides that all users are allowed to use this function. If the admin disables this feature, not a single user can use it. As the feature is useful to many 'power' users, disabling this feature is usually out of the question. Idea: change the variable allow_furl_open_wrapper to become a tri-state variable, e.g. the values On, Off and User. The 'user'-setting means that the function is initially disabled, but a user's php.ini or a special php-call from the user's script can enable this function. That way, a script usually runs a safe environment and can enable the potentially dangerous function when it thinks it does really require usage of the furl_open_wrapper. Reproduce code: --------------- n/a Expected result: ---------------- n/a Actual result: -------------- n/a ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=29410&edit=1
