#28684 [NEW]: allow_url_fopen drops security down

Mon, 07 Jun 2004 13:43:51 -0700 

From:             php at koteroff dot ru
Operating system: *
PHP version:      4.3.6
PHP Bug Type:     Feature/Change Request
Bug description:  allow_url_fopen drops security down

Description:
------------
First, we have documentation problem:
http://php.net/ini-set
allow_url_fopen "1" PHP_INI_ALL 
Not PHP_INI_ALL, but PHP_INI_SYSTEM (according to my experiments and
CHANGELOG).
(But it was described here: http://bugs.php.net/bug.php?id=28497&edit=2
).

Second, in new version of PHP allow_url_fopen touches include() and
require() to. It's terribly! Security of scripts falls down! And (thanks
to PHP_INI_SYSTEM) we cannot switch off allow_url_fopen for personal
sites, only for all server globally.

I have a proposal: make directive which will enable using of fopen
wrappers in include()-functions. This directive should be SEPARATED from
allow_url_fopen and allowed to be switched off not in php.ini only. Or
just allow to switch off allow_url_fopen from everywhere (but not switch
on, only off).

(Personally I think that it was bad idea to add fopen wreppers support in
include functions at all, but what was made — is what is made).

Thanks.


-- 
Edit bug report at http://bugs.php.net/?id=28684&edit=1
-- 
Try a CVS snapshot (php4):  http://bugs.php.net/fix.php?id=28684&r=trysnapshot4
Try a CVS snapshot (php5):  http://bugs.php.net/fix.php?id=28684&r=trysnapshot5
Fixed in CVS:               http://bugs.php.net/fix.php?id=28684&r=fixedcvs
Fixed in release:           http://bugs.php.net/fix.php?id=28684&r=alreadyfixed
Need backtrace:             http://bugs.php.net/fix.php?id=28684&r=needtrace
Need Reproduce Script:      http://bugs.php.net/fix.php?id=28684&r=needscript
Try newer version:          http://bugs.php.net/fix.php?id=28684&r=oldversion
Not developer issue:        http://bugs.php.net/fix.php?id=28684&r=support
Expected behavior:          http://bugs.php.net/fix.php?id=28684&r=notwrong
Not enough info:            http://bugs.php.net/fix.php?id=28684&r=notenoughinfo
Submitted twice:            http://bugs.php.net/fix.php?id=28684&r=submittedtwice
register_globals:           http://bugs.php.net/fix.php?id=28684&r=globals
PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28684&r=php3
Daylight Savings:           http://bugs.php.net/fix.php?id=28684&r=dst
IIS Stability:              http://bugs.php.net/fix.php?id=28684&r=isapi
Install GNU Sed:            http://bugs.php.net/fix.php?id=28684&r=gnused
Floating point limitations: http://bugs.php.net/fix.php?id=28684&r=float

Reply via email to