From: the_djmaze at hotmail dot com Operating system: GNU/Linux PHP version: 5.2.9RC2 PHP Bug Type: Streams related Bug description: Security issue: allow_url_fopen/allow_url_include are useless
Description: ------------ I already know this for years but as of now no-one reported it so i will. You can override the security settings of allow_url_fopen and allow_url_include by using the following functions: http://php.net/stream_wrapper_register http://php.net/stream_wrapper_unregister Due to this you can unregister the HTTP wrapper and register your own. Then with fsockopen or cURL inside that wrapper you completely override the security settings. Reproduce code: --------------- Wrapper class: http://dragonflycms.org/cvs/html/includes/classes/http_wrapper.php?v=1.1 <?php if (!ini_get('allow_url_fopen') && !ini_get('allow_url_include')) { # Force allow_url_fopen=on and allow_url_include=off stream_wrapper_unregister('http'); require('http_wrapper.php'); stream_wrapper_register('http', 'moo_stream_wrapper_http'); } getimagesize('http://www.php.net/images/php.gif'); ?> Expected result: ---------------- Warning: getimagesize() [function.getimagesize]: URL file-access is disabled in the server configuration Warning: getimagesize(http://www.php.net/images/php.gif) [function.getimagesize]: failed to open stream: no suitable wrapper could be found Warning: getimagesize() [function.getimagesize]: URL file-access is disabled in the server configuration Warning: getimagesize(http://www.php.net/images/php.gif) [function.getimagesize]: failed to open stream: no suitable wrapper could be found Actual result: -------------- success! -- Edit bug report at http://bugs.php.net/?id=47444&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=47444&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=47444&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=47444&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=47444&r=fixedcvs Fixed in CVS and need be documented: http://bugs.php.net/fix.php?id=47444&r=needdocs Fixed in release: http://bugs.php.net/fix.php?id=47444&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=47444&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=47444&r=needscript Try newer version: http://bugs.php.net/fix.php?id=47444&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=47444&r=support Expected behavior: http://bugs.php.net/fix.php?id=47444&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=47444&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=47444&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=47444&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47444&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=47444&r=dst IIS Stability: http://bugs.php.net/fix.php?id=47444&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=47444&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=47444&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=47444&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=47444&r=mysqlcfg
