From: anders at schlund dot de Operating system: Linux PHP version: Irrelevant PHP Bug Type: Feature/Change Request Bug description: Setting of allow_furl_open_wrapper by users script
Description: ------------ The furl-wrapper enables script to open and include data from remote sites by opening an URL to that data. It is a very powerful and sometimes extremly useful extension for PHP, so almost no web host disables this feature. On the other hand, there are very often cases where insecure written scripts allow e.g. inclusion of config files from remote sites by handing a specially crafted parameter to the script. Although this is an insecurity in those scripts and not in PHP, PHP can help to change exploiting those scripts. Currently, allow_furl_open_wrapper is a system- configurable variable, i.e. the system administrator decides that all users are allowed to use this function. If the admin disables this feature, not a single user can use it. As the feature is useful to many 'power' users, disabling this feature is usually out of the question. Idea: change the variable allow_furl_open_wrapper to become a tri-state variable, e.g. the values On, Off and User. The 'user'-setting means that the function is initially disabled, but a user's php.ini or a special php-call from the user's script can enable this function. That way, a script usually runs a safe environment and can enable the potentially dangerous function when it thinks it does really require usage of the furl_open_wrapper. Reproduce code: --------------- n/a Expected result: ---------------- n/a Actual result: -------------- n/a -- Edit bug report at http://bugs.php.net/?id=29410&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=29410&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=29410&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=29410&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=29410&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=29410&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=29410&r=needscript Try newer version: http://bugs.php.net/fix.php?id=29410&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=29410&r=support Expected behavior: http://bugs.php.net/fix.php?id=29410&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=29410&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=29410&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=29410&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=29410&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=29410&r=dst IIS Stability: http://bugs.php.net/fix.php?id=29410&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=29410&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=29410&r=float