PHP :: Request #28684 :: allow_url_fopen drops security down

allow_url_fopen drops security down

Submitted:

2004-06-07 22:43 UTC

Modified:

2012-04-09 22:12 UTC

Votes:	5
Avg. Score:	5.0 ± 0.0
Reproduced:	4 of 4 (100.0%)
Same Version:	1 (25.0%)
Same OS:	2 (50.0%)

From:

php at koteroff dot ru

Assigned:

nikic (profile)

Status:

Closed

Package:

*General Issues

PHP Version:

4.3.6

OS:

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	php at koteroff dot ru
New email:
PHP Version:		OS:

New Comment:

[2004-06-07 22:43 UTC] php at koteroff dot ru

Description:
------------
First, we have documentation problem:
http://php.net/ini-set
allow_url_fopen "1" PHP_INI_ALL 
Not PHP_INI_ALL, but PHP_INI_SYSTEM (according to my experiments and CHANGELOG).
(But it was described here: http://bugs.php.net/bug.php?id=28497&edit=2 ).

Second, in new version of PHP allow_url_fopen touches include() and require() to. It's terribly! Security of scripts falls down! And (thanks to PHP_INI_SYSTEM) we cannot switch off allow_url_fopen for personal sites, only for all server globally.

I have a proposal: make directive which will enable using of fopen wrappers in include()-functions. This directive should be SEPARATED from allow_url_fopen and allowed to be switched off not in php.ini only. Or just allow to switch off allow_url_fopen from everywhere (but not switch on, only off).

(Personally I think that it was bad idea to add fopen wreppers support in include functions at all, but what was made ? is what is made).

Thanks.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-06-23 03:01 UTC] no at email dot zz

I wish allow_url_fopen could be disabled by default and then 3rd party scripts that actually need the functionality are able to enable it with an allow_url_fopen (TRUE); call or something. Many scripts use include() and require() that should never be using remote URLs.

The global 'on' or 'off' setting is way too permissive and doesn't make securing PHP very easy.

[2006-07-10 22:08 UTC] tim at e2-media dot co dot nz

require() working on remote files by default is singlehandedly responsible for a significant chunk of security holes in php apps. I definitely agree that require/include should be treated very differently to file_get_contents and other functions using wrappers - evaluating code is dangerous.

[2012-04-09 22:12 UTC] nikic@php.net

-Status: Open +Status: Closed -Package: Feature/Change Request +Package: *General Issues -Assigned To: +Assigned To: nikic

[2012-04-09 22:12 UTC] nikic@php.net

Closing this as this was already fixed long ago (with allow_url_include).

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 20:01:29 2024 UTC