PHP :: Request #29410 :: Setting of allow_furl_open

Setting of allow_furl_open_wrapper by users script

Submitted:

2004-07-27 17:46 UTC

Modified:

2004-07-29 05:48 UTC

Votes:	3
Avg. Score:	4.3 ± 0.5
Reproduced:	3 of 3 (100.0%)
Same Version:	1 (33.3%)
Same OS:	2 (66.7%)

From:

anders at schlund dot de

Assigned:

Status:

Wont fix

Package:

Feature/Change Request

PHP Version:

Irrelevant

OS:

Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	anders at schlund dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2004-07-27 17:46 UTC] anders at schlund dot de

Description:
------------
The furl-wrapper enables script to open and include data from remote sites by opening an URL to that data. It is a very powerful and sometimes extremly useful extension for PHP, so almost no web host disables this feature.

On the other hand, there are very often cases where insecure written scripts allow e.g. inclusion of config files from remote sites by handing a specially crafted parameter to the script.
Although this is an insecurity in those scripts and not in PHP, PHP can help to change exploiting those scripts.

Currently, allow_furl_open_wrapper is a system-
configurable variable, i.e. the system administrator
decides that all users are allowed to use this function.
If the admin disables this feature, not a single user 
can use it. As the feature is useful to many 'power' users,
disabling this feature is usually out of the question.

Idea: change the variable allow_furl_open_wrapper to become a tri-state variable, e.g. the values On, Off and User.
The 'user'-setting means that the function is initially disabled, but a user's php.ini or a special php-call from the user's script can enable this function. That way, a script usually runs a safe environment and can enable the potentially dangerous function when it thinks it does really require usage of the furl_open_wrapper.

Reproduce code:
---------------
n/a

Expected result:
----------------
n/a

Actual result:
--------------
n/a

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2004-07-29 05:48 UTC] wez@php.net

Sorry, this won't happen.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu May 16 15:01:32 2024 UTC