|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2004-05-24 03:49 UTC] pollita@php.net
[2010-10-13 13:49 UTC] php dot net at site dot lanzz dot org
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Thu Apr 03 15:01:30 2025 UTC |
Description: ------------ To improve security against poor coding I wish to disable allow_url_fopen by default and allow users who have a legitimate need for it to enable it themselves via use of .htaccess or ini_set(). Given that allow_url_fopen is listed as PHP_INI_ALL in the docs I thought this would be relatively easy, however I am unable to make it work: Having allow_url_fopen off in php.ini disables it completely - the user cannot activate it via .htaccess or ini_set(). So I tried to use php_flag allow_url_fopen off in my httpd.conf to turn it off by default. However this has no effect at all and users can happily use URL-fopen functions without turning it on. Using php_admin_flag instead of php_flag disables it entirely as if set via php.ini. There appears to be no middle-ground here that lets the user control use of this function instead of everybody or nobody having access. Reproduce code: --------------- httpd.conf ---------- php_flag allow_url_fopen off test.php -------- <?php echo "<p>here is file:</p>"; readfile("http://www.r1ch.net/ohno"); ini_set ("allow_url_fopen", "1"); echo "<p>here is more file:</p>"; readfile("http://www.r1ch.net/ohno"); ?> Expected result: ---------------- here is file: Warning: readfile(): URL file-access is disabled in the server configuration in /.../test.php on line 2 here is more file: ohno Actual result: -------------- here is file: ohno here is more file: ohno