ID: 28684 Comment by: no at email dot zz Reported By: php at koteroff dot ru Status: Open Bug Type: Feature/Change Request Operating System: * PHP Version: 4.3.6 New Comment:
I wish allow_url_fopen could be disabled by default and then 3rd party scripts that actually need the functionality are able to enable it with an allow_url_fopen (TRUE); call or something. Many scripts use include() and require() that should never be using remote URLs. The global 'on' or 'off' setting is way too permissive and doesn't make securing PHP very easy. Previous Comments: ------------------------------------------------------------------------ [2004-06-07 22:43:47] php at koteroff dot ru Description: ------------ First, we have documentation problem: http://php.net/ini-set allow_url_fopen "1" PHP_INI_ALL Not PHP_INI_ALL, but PHP_INI_SYSTEM (according to my experiments and CHANGELOG). (But it was described here: http://bugs.php.net/bug.php?id=28497&edit=2 ). Second, in new version of PHP allow_url_fopen touches include() and require() to. It's terribly! Security of scripts falls down! And (thanks to PHP_INI_SYSTEM) we cannot switch off allow_url_fopen for personal sites, only for all server globally. I have a proposal: make directive which will enable using of fopen wrappers in include()-functions. This directive should be SEPARATED from allow_url_fopen and allowed to be switched off not in php.ini only. Or just allow to switch off allow_url_fopen from everywhere (but not switch on, only off). (Personally I think that it was bad idea to add fopen wreppers support in include functions at all, but what was made — is what is made). Thanks. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=28684&edit=1
