From: phpnet at gwaihir dot net Operating system: all? PHP version: 5.2.0 PHP Bug Type: Feature/Change Request Bug description: allow_url_fopen "2.0"
Description: ------------ Securing PHP against accidentally opening a file/stream from a URL instead of the local filesystem is nice, however allow_url_fopen as it is, is just too limited, it needs an "explicit only" setting in addition to just "on" or "off". In most real world situations, one doesn't want to forbid URL opening server wide, but it would be way nice if it didn't happen by accidental security oversight. So, what I'd really want is a setting that allows URL fopen only if I somehow explicitly tell the function I am using that it should expect a URL. [Similar concerns are voiced in the responses here: http://bugs.php.net/bug.php?id=28684 The poster is asking for a different feature though, so continued this seperate request.] Reproduce code: --------------- Would go something like this: PHP.ini: allow_url_fopen = explicit Script: //mode 'u' allows me to open from a URL fopen(http://example.org/somefile.txt, 'ua+'); //-> should work fine fopen(http://example.org/somefile.txt, 'a+'); //-> should give a "not allowed" error Similar ought to go for all functions capable of URL opening, of course. A default of allow_url_fopen = On still maintains backwards compatibility. -- Edit bug report at http://bugs.php.net/?id=39997&edit=1 -- Try a CVS snapshot (PHP 4.4): http://bugs.php.net/fix.php?id=39997&r=trysnapshot44 Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=39997&r=trysnapshot52 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=39997&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=39997&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=39997&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=39997&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=39997&r=needscript Try newer version: http://bugs.php.net/fix.php?id=39997&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=39997&r=support Expected behavior: http://bugs.php.net/fix.php?id=39997&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=39997&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=39997&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=39997&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=39997&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=39997&r=dst IIS Stability: http://bugs.php.net/fix.php?id=39997&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=39997&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=39997&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=39997&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=39997&r=mysqlcfg
