Edit report at https://bugs.php.net/bug.php?id=28684&edit=1
ID: 28684 Updated by: [email protected] Reported by: php at koteroff dot ru Summary: allow_url_fopen drops security down -Status: Open +Status: Closed Type: Feature/Change Request -Package: Feature/Change Request +Package: *General Issues Operating System: * PHP Version: 4.3.6 -Assigned To: +Assigned To: nikic Block user comment: N Private report: N New Comment: Closing this as this was already fixed long ago (with allow_url_include). Previous Comments: ------------------------------------------------------------------------ [2006-07-10 22:08:17] tim at e2-media dot co dot nz require() working on remote files by default is singlehandedly responsible for a significant chunk of security holes in php apps. I definitely agree that require/include should be treated very differently to file_get_contents and other functions using wrappers - evaluating code is dangerous. ------------------------------------------------------------------------ [2004-06-23 03:01:50] no at email dot zz I wish allow_url_fopen could be disabled by default and then 3rd party scripts that actually need the functionality are able to enable it with an allow_url_fopen (TRUE); call or something. Many scripts use include() and require() that should never be using remote URLs. The global 'on' or 'off' setting is way too permissive and doesn't make securing PHP very easy. ------------------------------------------------------------------------ [2004-06-07 22:43:47] php at koteroff dot ru Description: ------------ First, we have documentation problem: http://php.net/ini-set allow_url_fopen "1" PHP_INI_ALL Not PHP_INI_ALL, but PHP_INI_SYSTEM (according to my experiments and CHANGELOG). (But it was described here: http://bugs.php.net/bug.php?id=28497&edit=2 ). Second, in new version of PHP allow_url_fopen touches include() and require() to. It's terribly! Security of scripts falls down! And (thanks to PHP_INI_SYSTEM) we cannot switch off allow_url_fopen for personal sites, only for all server globally. I have a proposal: make directive which will enable using of fopen wrappers in include()-functions. This directive should be SEPARATED from allow_url_fopen and allowed to be switched off not in php.ini only. Or just allow to switch off allow_url_fopen from everywhere (but not switch on, only off). (Personally I think that it was bad idea to add fopen wreppers support in include functions at all, but what was made is what is made). Thanks. ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=28684&edit=1
