rfc:allow_url_include

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
rfc:allow_url_include [2015/02/27 10:03]
yohgaki
rfc:allow_url_include [2017/09/22 13:28] (current)
Line 15: Line 15:
 Current **allow_url_include** behavior is wrong for 3 reasons. Current **allow_url_include** behavior is wrong for 3 reasons.
  
-  - Implicit allowance of URL is problematic. It's "​caller"​ responsibility to set this setting as intended. (Or "​callee"​ must have API for overriding it to do the job)+  - Implicit allowance of URL formed filename ​is problematic. It's "​caller"​ responsibility to set this setting as intended. (Or "​callee"​ must have API for overriding it to do the job)
   - It does not make "​include/​require"​ behave as INI setting name implies.   - It does not make "​include/​require"​ behave as INI setting name implies.
   - Being INI_SYSTEM increases risk of security filter bypass.   - Being INI_SYSTEM increases risk of security filter bypass.
rfc/allow_url_include.txt · Last modified: 2017/09/22 13:28 (external edit)