[PHP-DOC] #28497 [Opn->Csd]: Disabling allow_url_fopen via httpd.conf has no effect

Sun, 23 May 2004 18:49:37 -0700 

 ID:               28497
 Updated by:       [EMAIL PROTECTED]
 Reported By:      iwonderiftheyllpostthistoapublicnewsgrou
-Status:           Open
+Status:           Closed
-Bug Type:         PHP options/info functions
+Bug Type:         Documentation problem
 Operating System: Linux
 PHP Version:      4.3.6
 New Comment:

The documentation was incorrect.  allow_url_fopen is meant to be a
security feature for allowing the system administrator to completely
prohibit the use of url fopen wrappers.  To allow it to be overridden
with a simple ini_set() would negate that purpose.

The documentation sources have been updated to read PHP_INI_SYSTEM and
should show as such in the next build of the online manual.


Previous Comments:
------------------------------------------------------------------------

[2004-05-23 21:15:32] iwonderiftheyllpostthistoapublicnewsgrou

Description:
------------
To improve security against poor coding I wish to disable
allow_url_fopen by default and allow users who have a legitimate need
for it to enable it themselves via use of .htaccess or ini_set(). Given
that allow_url_fopen is listed as PHP_INI_ALL in the docs I thought
this would be relatively easy, however I am unable to make it work:

Having allow_url_fopen off in php.ini disables it completely - the user
cannot activate it via .htaccess or ini_set(). So I tried to use
php_flag allow_url_fopen off in my httpd.conf to turn it off by
default. However this has no effect at all and users can happily use
URL-fopen functions without turning it on. Using php_admin_flag instead
of php_flag disables it entirely as if set via php.ini.

There appears to be no middle-ground here that lets the user control
use of this function instead of everybody or nobody having access.

Reproduce code:
---------------
httpd.conf
----------
php_flag allow_url_fopen off

test.php
--------
<?php
echo "<p>here is file:</p>";
readfile("http://www.r1ch.net/ohno";);
ini_set ("allow_url_fopen", "1");
echo "<p>here is more file:</p>";
readfile("http://www.r1ch.net/ohno";);
?>



Expected result:
----------------
here is file:

Warning: readfile(): URL file-access is disabled in the server
configuration in /.../test.php on line 2

here is more file:
ohno

Actual result:
--------------
here is file:
ohno

here is more file:
ohno


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=28497&edit=1

Reply via email to