Thank you for this bug report. To properly diagnose the problem, we
need a short but complete example script to be able to reproduce
this bug ourselves.

A proper reproducing script starts with <?php and ends with ?>,
is max. 10-20 lines long and does not require any external
resources such as databases, etc. If the script requires a
database to demonstrate the issue, please make sure it creates
all necessary tables, stored procedures etc.

Please avoid embedding huge scripts into the report.

Are you passing unvalidated input to getimagesize? If the problem is that someone is giving you a URL and you don't want them to, then the solution is to make sure that you don't let someone give you a URL.

Should be a separate option than allow_url_fopen

no, the whole https://www.php.net/manual/en/wrappers.php stuff is designed in a way that it don#t matter if the path is a physical file or a supported remote file and there is no sane reason to poke special handling into random function signatures

> as it is often a sign of someone providing bad arguments (url instead of path)

you are responsible to write code with validates input as developer

Well, the problem is for instance Wordpress plugins where users submit URLs instead of file-paths, which goes directly into getimagesize() and thus results in a http-request (or hundreds), chaining into poor performance etc. 

I realise a solution is proper validation, but Wordpress plugins and user-code is rarely known for this. Thus as this can result in a server-problem, it would be great with a server-side toggle for it.

> results in a http-request (or hundreds), chaining into poor performance etc.

than disable url wrappers on the server

> I realise a solution is proper validation, but Wordpress 
> plugins and user-code is rarely known for this

garbage in, garbage out

php is a programming language, you can't expect a programming language holding hands for every random "me too" developer, write bugreports for wodpress and the plugins

a programming language is supposed to do what the developer say and shouldn't holding hands - how do you expect to behave the bad code when random ini options chnage basic behavior of the underlying prigramming language?

As blunt as his replies are, I agree with him. There are many ways that someone can misuse PHP and creating settings to disable each one is not the right answer. Better coding is.

Whatever plugin or other mechanism is responsible for passing user input to getimagesize() needs to be updated to remove the vulnerability. Because that's essentially what this is: a vulnerability in the plugin. Standard practice in this situation is to give the administrator to choice of accepting all URLs or specifying a whitelist of domains to support.

allow_url_fopen is PHP's security measure for disabling unwanted remote access, even if it affects everything. More settings just makes it harder to write portable code.