rfc:allow_url_include

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
rfc:allow_url_include [2015/02/27 09:59] yohgakirfc:allow_url_include [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 15: Line 15:
 Current **allow_url_include** behavior is wrong for 3 reasons. Current **allow_url_include** behavior is wrong for 3 reasons.
  
-  - Implicit allowance of URL is problematic. It's "caller" responsibility to set this setting as intended. (Or "callee" must have API for overriding it to do the job)+  - Implicit allowance of URL formed filename is problematic. It's "caller" responsibility to set this setting as intended. (Or "callee" must have API for overriding it to do the job)
   - It does not make "include/require" behave as INI setting name implies.   - It does not make "include/require" behave as INI setting name implies.
   - Being INI_SYSTEM increases risk of security filter bypass.   - Being INI_SYSTEM increases risk of security filter bypass.
Line 68: Line 68:
 PHP_STREAM_LOCAL, PHP_STREAM_REMOTE or PHP_STREAM_ALL. PHP_STREAM_LOCAL, PHP_STREAM_REMOTE or PHP_STREAM_ALL.
  
 +Pros:
 +  - API looks more systematic/clean
 +
 +Cons:
 +  - More complex and needs lots of modifications than option #1 (More BC)
 +  - Not precise as option #1
  
  
Line 73: Line 79:
  
   * Some include/require that use implicit URL include need 2nd parameter.   * Some include/require that use implicit URL include need 2nd parameter.
-  * If stream wrapper class does not have getType() method, it treated as PHP_STREAM_REMOTE.+  * Option #2: If stream wrapper class does not have getType() method, it treated as PHP_STREAM_REMOTE.
  
 ===== Proposed PHP Version(s) ===== ===== Proposed PHP Version(s) =====
rfc/allow_url_include.1425031192.txt.gz · Last modified: 2017/09/22 13:28 (external edit)