php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #43535 parse_ini_file('http://example.com/some.ini') and allow_url_include=off
Submitted: 2007-12-08 13:53 UTC Modified: 2015-05-31 04:22 UTC
From: sskaje at gmail dot com Assigned: cmb (profile)
Status: No Feedback Package: PHP options/info functions
PHP Version: 5.2.5 OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2007-12-08 13:53 UTC] sskaje at gmail dot com 
Description:
------------
parse_ini_file() should not be configured with allow_url_include in php.ini but allow_url_fopen
that make me cant directly parse the ini file on http server

Expected result:
----------------
nothing

Actual result:
--------------
nothing

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-12-10 09:58 UTC] jani@php.net 
And what exactly is the problem you have?
Currently the file opening for this function happens exactly how a script is opened and I don't think there's anything wrong with that.
 [2007-12-11 10:01 UTC] sskaje at gmail dot com 
There is a ini file on a http server which has something i need on it.
so i tried to use parse_ini_file() to get the content and parse it.
i set teh 'allow_url_include' Off due to security issue, but i got an error which said that i must turn it On
 [2007-12-12 10:12 UTC] jani@php.net 
This requires changes too big for a bugfix (this is more like a new feature as such) so most likely this will be in PHP 5.3.0 at earliest.
 [2009-02-02 16:41 UTC] stefan dot walk+php at gmail dot com 
I don't see how checking for allow_url_fopen instead of 
allow_url_include is a big change ...
 [2009-02-02 16:49 UTC] sskaje at gmail dot com 
[2 Feb 4:41pm UTC] stefan dot walk+php at gmail dot com 
I don't see how checking for allow_url_fopen instead of 
allow_url_include is a big change ...


ya, stefan, its not a big change, but as you know, all_url_include is recommended to be Off to avoid RFI, if you need to parse an ini file on a remote server without allow_url_include ON, you have to download it before parsing it. So, use allow_url_fopen would bring more convinience than allow_url_include
 [2011-04-08 21:04 UTC] jani@php.net
-Package: Feature/Change Request +Package: PHP options/info functions
 [2015-05-17 19:49 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2015-05-17 19:49 UTC] cmb@php.net 
Since PHP 5.3.0 there is parse_ini_string(), so you could do:

  parse_ini_string(file_get_contents('...'));

Isn't that sufficiently convenient?
 [2015-05-31 04:22 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Oct 29 11:00:01 2025 UTC