php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #39997 allow_url_fopen "2.0"
Submitted: 2006-12-31 18:58 UTC Modified: 2021-07-27 10:27 UTC
Votes:3
Avg. Score:2.3 ± 1.9
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: phpnet at gwaihir dot net Assigned: cmb (profile)
Status: Wont fix Package: Streams related
PHP Version: 5.2.0 OS: all?
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: phpnet at gwaihir dot net
New email:
PHP Version: OS:

 

 [2006-12-31 18:58 UTC] phpnet at gwaihir dot net
Description:
------------
Securing PHP against accidentally opening a file/stream from a URL instead of the local filesystem is nice, however allow_url_fopen as it is, is just too limited, it needs an "explicit only" setting in addition to just "on" or "off".

In most real world situations, one doesn't want to forbid URL opening server wide, but it would be way nice if it didn't happen by accidental security oversight. So, what I'd really want is a setting that allows URL fopen only if I somehow explicitly tell the function I am using that it should expect a URL.

[Similar concerns are voiced in the responses here: http://bugs.php.net/bug.php?id=28684 The poster is asking for a different feature though, so continued this seperate request.]

Reproduce code:
---------------
Would go something like this:

PHP.ini:
allow_url_fopen = explicit

Script:
//mode 'u' allows me to open from a URL

fopen(http://example.org/somefile.txt, 'ua+');
//-> should work fine

fopen(http://example.org/somefile.txt, 'a+');
//-> should give a "not allowed" error

Similar ought to go for all functions capable of URL opening, of course. A default of allow_url_fopen = On still maintains backwards compatibility.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-01-01 15:55 UTC] phpnet at gwaihir dot net
I noticed that it's probably more elegant if this "yes, an URL is ok here" be an option to set in the stream's context.
 [2016-12-30 23:54 UTC] cmb@php.net
-Package: Feature/Change Request +Package: Streams related
 [2021-07-27 10:27 UTC] cmb@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: cmb
 [2021-07-27 10:27 UTC] cmb@php.net
Since nothing happened here for more than ten years, I assume
there is not much interest in this feature, so I'm closing as
WONTFIX.  If anybody is still interested in having this feature,
please pursue the RFC process[1].

[1] <https://wiki.php.net/rfc/howto>
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 07:01:28 2024 UTC