![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
robbat2Recently I've been digging around in the annuls of Gentoo history, working on what will hopefully be the final tree-signing proposal before it actually becomes a full reality. During the midst of this, Stuart came up to me in #gentoo-dev:
<Stuart> robbat2: btw, did you see this week's LWN?<Stuart> robbat2: the one of using Google Code to find PHP apps that are vulnerable to allow_url_fopen attacks
<Stuart> robbat2: you were right, all those years ago. just wanted to tell you that.
I wasn't the first to come up with the idea, the BSD ports folk were talking about it around the same time we were in mid-July 2003, and I was aware of their discussion, but I believe that Gentoo was the first Linux distribution to make this jump in turning it off. I took a lot of flak at the time for breaking many PHP applications in the name of security, but history has now shown that allow_url_fopen is a very common PHP exploit, and with the advent of Google Code, many sites may now considerably more vulnerable - and all of this could have been mostly avoided a long time ago if PHP had just included a taint mode from the start...
I hadn't read LWN yet, it's only been out a few hours, yet here the article is: "Remote file inclusion vulnerabilities". Stuart also posted a link back into the murky depths of the Gentoo CVS, with a commit I made in July 2003, that turned off allow_url_fopen by default in Gentoo.
