php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #28497 Disabling allow_url_fopen via httpd.conf has no effect
Submitted: 2004-05-23 21:15 UTC Modified: 2004-05-24 03:49 UTC
From: iwonderiftheyllpostthistoapublicnewsgrou Assigned:
Status: Closed Package: Documentation problem
PHP Version: 4.3.6 OS: Linux
Private report: No CVE-ID: None
 [2004-05-23 21:15 UTC] iwonderiftheyllpostthistoapublicnewsgrou
Description:
------------
To improve security against poor coding I wish to disable allow_url_fopen by default and allow users who have a legitimate need for it to enable it themselves via use of .htaccess or ini_set(). Given that allow_url_fopen is listed as PHP_INI_ALL in the docs I thought this would be relatively easy, however I am unable to make it work:

Having allow_url_fopen off in php.ini disables it completely - the user cannot activate it via .htaccess or ini_set(). So I tried to use php_flag allow_url_fopen off in my httpd.conf to turn it off by default. However this has no effect at all and users can happily use URL-fopen functions without turning it on. Using php_admin_flag instead of php_flag disables it entirely as if set via php.ini.

There appears to be no middle-ground here that lets the user control use of this function instead of everybody or nobody having access.

Reproduce code:
---------------
httpd.conf
----------
php_flag allow_url_fopen off

test.php
--------
<?php
echo "<p>here is file:</p>";
readfile("http://www.r1ch.net/ohno");
ini_set ("allow_url_fopen", "1");
echo "<p>here is more file:</p>";
readfile("http://www.r1ch.net/ohno");
?>



Expected result:
----------------
here is file:

Warning: readfile(): URL file-access is disabled in the server configuration in /.../test.php on line 2

here is more file:
ohno

Actual result:
--------------
here is file:
ohno

here is more file:
ohno

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-05-24 03:49 UTC] pollita@php.net
The documentation was incorrect.  allow_url_fopen is meant to be a security feature for allowing the system administrator to completely prohibit the use of url fopen wrappers.  To allow it to be overridden with a simple ini_set() would negate that purpose.

The documentation sources have been updated to read PHP_INI_SYSTEM and should show as such in the next build of the online manual.
 [2010-10-13 13:49 UTC] php dot net at site dot lanzz dot org
At this moment, more than six years after this bug was closed, the documentation 
still lists allow_url_fopen as being PHP_INI_ALL.

http://php.net/manual/en/filesystem.configuration.php
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 20:01:28 2024 UTC