php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #15854 allow_url_fopen setting in php.ini ignores the true INI constants
Submitted: 2002-03-04 04:54 UTC Modified: 2005-06-25 03:18 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: nickj-phpbugs at nickj dot org Assigned:
Status: Closed Package: *General Issues
PHP Version: 5CVS-2005-06-20 (dev) OS: Debian Linux 3.0r6
Private report: No CVE-ID: None
 [2002-03-04 04:54 UTC] nickj-phpbugs at nickj dot org
Before:
The output of phpinfo(), in the "Configuration - PHP Core" section, for the "allow_url_fopen" directive says "no value" for both "Local Value" and "Master Value".

Aim:
To set the allow_url_fopen to say off / disabled, as opposed to "no value", for a more secure PHP installation.

Changes made:
To the /etc/php.ini, tried adding the following lines, one at a time, then restarting the web server, then checking the output of phpinfo():
allow_url_fopen = False ;
allow_url_fopen = false ;
allow_url_fopen = Off ;
allow_url_fopen = off ;

After:
The output of phpinfo(), in the "Configuration - PHP Core" section, for the "allow_url_fopen" directive _still_ says "no value" for both "Local Value" and "Master Value" in all of the above cases. 

What _does_ fix this problem:
Using the integer value, like so:
allow_url_fopen = 0 ;

In this case the value prints as "0".

What does work as expected:
Basically, all the true cases that I tried, namely:
allow_url_fopen = 1 ;
allow_url_fopen = True ;
allow_url_fopen = true ;
allow_url_fopen = On ;
allow_url_fopen = on ;

In all of these cases the value prints as "1".

Why this is a problem:
Besides being completely inconsistent, it also does not comply with the documentation:
The php.ini file says this:
> The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
> of the INI constants (On, Off, True, False, Yes, No and None) or an expression
> (e.g. E_ALL & ~E_NOTICE), or a quoted string ("foo").
Furthermore many of the values in the php.ini file are either "On" or "Off". Most normal people would thus quite reasonably assume that the same consistent syntax would also work for allow_url_fopen, and it does, but only if you want to enable it, not if you want to disable it (which is what most people would probably want to do) [**bangs head repeatedly against table**].


Answers to the questions I expect you to ask:
There is no duplicate existing line that is overwriting the value of the allow_url_fopen directive, as evidenced by this:
===================================
[root@dev ~]# grep -i "fopen" /etc/php.ini
; prevent the URL-aware fopen wrappers from accessing URL objects
allow_url_fopen = 0 ;
===================================

I know that I am editing the correct php.ini file, because it can be made to work, but only if I change the value to any true/on/1 value, or to 0.

This is not a brand new problem. The same problem happened in PHP 4.04pl1, but I gave up looking harder at it then when I could not get "False" or "Off" to work straight away. I had hoped that upgrading to PHP 4.06 might make it go away, but no joy. I only found that 0 or 1 work out of an annoyed determination to try everything when upgrading to 4.06 due to recent security updates.

Evidence that this has bit other people in the ass too:
I have searched the PHP bugs database, and noticed that someone else has experienced something similar, but it is included as a side note in a bug report (not as the main content):
http://bugs.php.net/?id=12748
The reporter of that bug (#12748) wrote:
> When I leave out the setting in httpd.conf, and just have 
> "allow_url_fopen = Off" in the php.ini file, phpinfo() has 
> "no value" written for the Master Value and Local Value.

Recommendation:
_Please_ fix the "allow_url_fopen" directive to work with _all_ the INI constants - namely "On, Off, True, False, Yes, No".

My configuration information:
These PHP packages are using the distro's RPMs, namely: php-4.0.6-5.7mdk.i586.rpm, php-common-4.0.6-5.7mdk.i586.rpm, php-devel-4.0.6-5.7mdk.i586.rpm

Am I willing to update to whatever the latest and greatest PHP version is right now?:
Absolutely not. I've got what I have to work, but I want to stop this from being a problem for anyone else (or myself in two year's time).

The top bit of phpinfo() shows this:
=======================================
PHP Version 4.0.6 

System Linux updates.mandrakesoft.com 2.4.8-34.1mdkenterprise #1 SMP Mon Nov 19 11:56:45 MST 2001 i686 unknown 
Build Date Feb 27 2002 
Configure Command  './configure' '--disable-static' '--disable-debug' '--disable-rpath' '--enable-pic' '--enable-inline-optimization' '--prefix=/usr' '--with-zlib' '--with-config-file-path=/etc' '--enable-magic-quotes' '--enable-debugger' '--enable-track-vars' '--enable-safe-mode' '--with-exec-dir=/usr/bin' '--with-regex=system' '--with-versioning' '--enable-sysvsem' '--enable-sysvshm' '--with-mod_charset' '--enable-force-cgi-redirect' '--with-mm' '--enable-trans-sid' '--with-dbase' '--with-filepro' '--enable-yp' '--enable-ftp' '--with-xml' '--with-gettext' <br>[Some modules are external: look for packages php-pgsql,php-mysql,...] 
Server API Apache 
Virtual Directory Support disabled 
Configuration File (php.ini) Path /etc/php.ini 
ZEND_DEBUG disabled 
Thread Safety disabled 

This program makes use of the Zend scripting language engine:
Zend Engine v1.0.6, Copyright (c) 1998-2001 Zend Technologies
    with Zend Optimizer v1.2.0, Copyright (c) 1998-2001, by Zend Technologies 

=======================================

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-04-16 18:21 UTC] wez@php.net
Considered closed - please try a CVS snapshot (dated at the time you read this or later) and reopen if this still applies.

 [2005-06-22 10:20 UTC] nickj-phpbugs at nickj dot org
Reopening, as the allow_url_fopen php.ini directive still (in PHP5.1-dev) seems to work incorrectly with some boolean INI constants.

However, whereas before it would do the wrong things with false constants (see this bug, and also http://bugs.php.net/19426 ), it now seems to do the wrong thing with the true constants (and no, this is not a joke).

In order to make it easier to demonstrate this, I have created a series of eight small .phpt unit tests. These unit test are available for download at http://home.swiftdsl.com.au/~npj/php-bugs/bug15854.zip (4Kb file)

Note: You may or may not need to comment out the "allow_url_fopen" directive in your php.ini (in case it interferes with these tests) - I don't know enough about .phpt unit-tests to know if this matters or not.

The 8 tests are almost identical, except that the values the allow_url_fopen are set to are 0, false, no, off (which would be expected to show the 'Local Value' for allow_url_fopen in phpinfo as 'Off'), and 1, true, yes, on (which would be expected to show the 'Local Value' for allow_url_fopen in phpinfo as 'On').

Note that all 8 boolean constructs should work, as in the PHP.ini introduction it indicates that acceptable values for directives are "a number" and "one of the INI constants (On, Off, True, False, Yes, No and None)".

The results of running these tests on a 2-day-old PHP5.1-dev CVS build are as follows:
------------------------------------------------------------------
ludo:~/tmp/php-5.1-dev/php5-200506201830# TEST_PHP_EXECUTABLE=sapi/cli/php sapi/cli/php run-tests.php ../bug15854/*.phpt 

=====================================================================
CWD         : /root/tmp/php-5.1-dev/php5-200506201830
PHP         : sapi/cli/php 
PHP_SAPI    : cli
PHP_VERSION : 5.1.0-dev
ZEND_VERSION: 2.1.0-dev
PHP_OS      : Linux - Linux ludo 2.6.7-1-686 #1 Wed Jul 28 12:29:51 CEST 2004 i686
INI actual  : /root/tmp/php-5.1-dev/php5-200506201830/sapi/cli/php.ini
More .INIs  : 
Extra dirs  : 
=====================================================================
Running selected tests.
PASS Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-0.phpt]
PASS Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-1.phpt]
PASS Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-false.phpt]
PASS Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-no.phpt]
PASS Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-off.phpt]
FAIL Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-on.phpt]
FAIL Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-true.phpt]
FAIL Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-yes.phpt]

=====================================================================
Number of tests :    8                 8
Tests skipped   :    0 (  0.0%) --------
Tests warned    :    0 (  0.0%) (  0.0%)
Tests failed    :    3 ( 37.5%) ( 37.5%)
Tests passed    :    5 ( 62.5%) ( 62.5%)
---------------------------------------------------------------------
Time taken      :    1 seconds
=====================================================================

=====================================================================
FAILED TEST SUMMARY
---------------------------------------------------------------------
Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-on.phpt]
Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-true.phpt]
Bug #15854 (allow_url_fopen setting in php.ini ignores some boolean INI constants) [/root/tmp/php-5.1-dev/bug15854/bug15854-yes.phpt]
=====================================================================
ludo:~/tmp/php-5.1-dev/php5-200506201830# 
------------------------------------------------------------------


(i.e. the 'on', 'true' and 'yes' directives do not appear to be working).
 [2005-06-22 12:47 UTC] sniper@php.net
Your tests can't work as the options in the INI section are passed as '-d' options to the PHP binary runnning the script and thus the ini scanner is by-passed in that.

(unknown values in the options are considered as 0)

 [2005-06-22 14:05 UTC] tony2001@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Fixed in HEAD (5.1) only (this won't be backported in other branches).

 [2005-06-25 03:18 UTC] nickj-phpbugs at nickj dot org
Confirmed fixed in php5-200506222230. Thank you Tony!

Also you're more than welcome to include these .phpt tests in "make test" if you think it might be useful for QA.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 07:01:27 2024 UTC