From:             iwonderiftheyllpostthistoapublicnewsgroup at r1ch dot net
Operating system: Linux
PHP version:      4.3.6
PHP Bug Type:     PHP options/info functions
Bug description:  Disabling allow_url_fopen via httpd.conf has no effect

Description:
------------
To improve security against poor coding I wish to disable allow_url_fopen
by default and allow users who have a legitimate need for it to enable it
themselves via use of .htaccess or ini_set(). Given that allow_url_fopen
is listed as PHP_INI_ALL in the docs I thought this would be relatively
easy, however I am unable to make it work:

Having allow_url_fopen off in php.ini disables it completely - the user
cannot activate it via .htaccess or ini_set(). So I tried to use php_flag
allow_url_fopen off in my httpd.conf to turn it off by default. However
this has no effect at all and users can happily use URL-fopen functions
without turning it on. Using php_admin_flag instead of php_flag disables
it entirely as if set via php.ini.

There appears to be no middle-ground here that lets the user control use
of this function instead of everybody or nobody having access.

Reproduce code:
---------------
httpd.conf
----------
php_flag allow_url_fopen off

test.php
--------
<?php
echo "<p>here is file:</p>";
readfile("http://www.r1ch.net/ohno";);
ini_set ("allow_url_fopen", "1");
echo "<p>here is more file:</p>";
readfile("http://www.r1ch.net/ohno";);
?>



Expected result:
----------------
here is file:

Warning: readfile(): URL file-access is disabled in the server
configuration in /.../test.php on line 2

here is more file:
ohno

Actual result:
--------------
here is file:
ohno

here is more file:
ohno

-- 
Edit bug report at http://bugs.php.net/?id=28497&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=28497&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=28497&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=28497&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=28497&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=28497&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=28497&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=28497&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=28497&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=28497&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=28497&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=28497&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=28497&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28497&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=28497&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=28497&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=28497&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=28497&r=float

Reply via email to