rfc:allow_url_include
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
rfc:allow_url_include [2015/02/27 09:59] – yohgaki | rfc:allow_url_include [2017/09/22 13:28] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 15: | Line 15: | ||
Current **allow_url_include** behavior is wrong for 3 reasons. | Current **allow_url_include** behavior is wrong for 3 reasons. | ||
- | - Implicit allowance of URL is problematic. It's " | + | - Implicit allowance of URL formed filename |
- It does not make " | - It does not make " | ||
- Being INI_SYSTEM increases risk of security filter bypass. | - Being INI_SYSTEM increases risk of security filter bypass. | ||
Line 68: | Line 68: | ||
PHP_STREAM_LOCAL, | PHP_STREAM_LOCAL, | ||
+ | Pros: | ||
+ | - API looks more systematic/ | ||
+ | |||
+ | Cons: | ||
+ | - More complex and needs lots of modifications than option #1 (More BC) | ||
+ | - Not precise as option #1 | ||
Line 73: | Line 79: | ||
* Some include/ | * Some include/ | ||
- | * If stream wrapper class does not have getType() method, it treated as PHP_STREAM_REMOTE. | + | * Option #2: If stream wrapper class does not have getType() method, it treated as PHP_STREAM_REMOTE. |
===== Proposed PHP Version(s) ===== | ===== Proposed PHP Version(s) ===== |
rfc/allow_url_include.1425031192.txt.gz · Last modified: 2017/09/22 13:28 (external edit)