News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

PHP Security Blog:
PHP 5.2.0 and allow_url_include
November 03, 2006 @ 09:41:23

On the PHP Security Blog, Stefan Esser has posted some of his own opinions on the latest PHP release - version 5.2 - and some of the security implications of it.

Often users have requested that PHP allows disabling URL support for include and require statements while allowing it for the other filesystem functions. Because of this it was planned to have allow_url_include in PHP 6. After some discussion the feature was backported to the PHP 5.2.0 tree.

He also notes that, unfortunately, this functionality only protects against the http(s) and ftp(s) kinds of URLs and not some of the new data URLs included in the functionality of PHP 5.2. He gives two code examples of this kind of issue - one using the "pph://input" and the other using a base64 encoded value.

8 comments voice your opinion now!
security php5 allowurlfopen phpini setting input base64 security php5 allowurlfopen phpini setting input base64


blog comments powered by Disqus

Similar Posts

PlentyofCode.com: J2EE vs ASP.NET vs PHP

Hardened-PHP Project: Advisory - PHProjekt (Remote) Include Vulnerabilities

DevShed: Completing an Extensible Website Engine with PHP 5

Simon Holywell: Improve PHP session cookie security

Brian DeShong's Blog: Small news that's big to me: my PHP Testfest submissions made it into 5_3!


Community Events





Don't see your event here?
Let us know!


laravel introduction bugfix deployment series package voicesoftheelephpant interview symfony list install opinion release podcast library community api language framework tips

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework