rfc:allow_url_include

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
rfc:allow_url_include [2015/02/27 10:03] yohgakirfc:allow_url_include [2017/09/22 13:28] (current) – external edit 127.0.0.1
Line 15: Line 15:
 Current **allow_url_include** behavior is wrong for 3 reasons. Current **allow_url_include** behavior is wrong for 3 reasons.
  
-  - Implicit allowance of URL is problematic. It's "caller" responsibility to set this setting as intended. (Or "callee" must have API for overriding it to do the job)+  - Implicit allowance of URL formed filename is problematic. It's "caller" responsibility to set this setting as intended. (Or "callee" must have API for overriding it to do the job)
   - It does not make "include/require" behave as INI setting name implies.   - It does not make "include/require" behave as INI setting name implies.
   - Being INI_SYSTEM increases risk of security filter bypass.   - Being INI_SYSTEM increases risk of security filter bypass.
rfc/allow_url_include.1425031419.txt.gz · Last modified: 2017/09/22 13:28 (external edit)

Page Tools