ID: 28497 Updated by: [EMAIL PROTECTED] Reported By: iwonderiftheyllpostthistoapublicnewsgrou -Status: Open +Status: Closed -Bug Type: PHP options/info functions +Bug Type: Documentation problem Operating System: Linux PHP Version: 4.3.6 New Comment:
The documentation was incorrect. allow_url_fopen is meant to be a security feature for allowing the system administrator to completely prohibit the use of url fopen wrappers. To allow it to be overridden with a simple ini_set() would negate that purpose. The documentation sources have been updated to read PHP_INI_SYSTEM and should show as such in the next build of the online manual. Previous Comments: ------------------------------------------------------------------------ [2004-05-23 21:15:32] iwonderiftheyllpostthistoapublicnewsgrou Description: ------------ To improve security against poor coding I wish to disable allow_url_fopen by default and allow users who have a legitimate need for it to enable it themselves via use of .htaccess or ini_set(). Given that allow_url_fopen is listed as PHP_INI_ALL in the docs I thought this would be relatively easy, however I am unable to make it work: Having allow_url_fopen off in php.ini disables it completely - the user cannot activate it via .htaccess or ini_set(). So I tried to use php_flag allow_url_fopen off in my httpd.conf to turn it off by default. However this has no effect at all and users can happily use URL-fopen functions without turning it on. Using php_admin_flag instead of php_flag disables it entirely as if set via php.ini. There appears to be no middle-ground here that lets the user control use of this function instead of everybody or nobody having access. Reproduce code: --------------- httpd.conf ---------- php_flag allow_url_fopen off test.php -------- <?php echo "<p>here is file:</p>"; readfile("http://www.r1ch.net/ohno"); ini_set ("allow_url_fopen", "1"); echo "<p>here is more file:</p>"; readfile("http://www.r1ch.net/ohno"); ?> Expected result: ---------------- here is file: Warning: readfile(): URL file-access is disabled in the server configuration in /.../test.php on line 2 here is more file: ohno Actual result: -------------- here is file: ohno here is more file: ohno ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28497&edit=1