Yes, but people make mistakes, and escalating that to 100 and an RCE is not brilliant.
There really should be an option to just these stupid fopen wrappers. The entire feature is profoundly misguided, and not even that useful.
The post says "Big applications (such as Drupal or Magento) have been disabling the phar:// protocol", but I can't even figure out how to do that in a quick check, other than a configure option.
There really should be an option to just these stupid fopen wrappers. The entire feature is profoundly misguided, and not even that useful.
The post says "Big applications (such as Drupal or Magento) have been disabling the phar:// protocol", but I can't even figure out how to do that in a quick check, other than a configure option.