From:
Operating system: Irrelevant
PHP version: 5.2.14
Package: *Configuration Issues
Bug Type: Feature/Change Request
Bug description:PHP_INI_SYSTEM level of allow_url_fopen prevents disabling it
Description:
------------
The documentation states that "[allow_url_fopen] can only be set in php.ini
due
to security reasons". This is a completely wrong approach, as it also
prevents
security-conscious developers to DISABLE the dangerous allow_url_fopen
option,
if it is enabled server-wide (for example in a shared hosting setup).
Having a single point of control over allow_url_fopen forces the entire
webserver and all websites and applications to share the same setting,
which in
some cases would force administrators to enable the option due to poorly
written
third-party code which might be unfeasible to fix or replace, which would
lower
security for other code that relies on allow_url_fopen being off, and it's
not
possible to selectively disable it where it really is not needed.
The added security of restricting allow_url_fopen to php.ini only is
questionable, as malicious users can use other means to access remote URLs,
while legitimate users are left without the option of controlled access to
remote URLs.
The best scenario would be a globally disabled allow_url_fopen option
(which
really should be the default), with the possibility for controlled enabling
of
the feature only where its needed.
Test script:
---------------
# php.ini
allow_url_fopen = On
# test.php
ini_set('allow_url_fopen', 0);
print(ini_get('allow_url_fopen')? 'enabled', 'disabled');
Expected result:
----------------
disabled
Actual result:
--------------
enabled
--
Edit bug report at http://bugs.php.net/bug.php?id=53052&edit=1
--
Try a snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=53052&r=trysnapshot52
Try a snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=53052&r=trysnapshot53
Try a snapshot (trunk):
http://bugs.php.net/fix.php?id=53052&r=trysnapshottrunk
Fixed in SVN:
http://bugs.php.net/fix.php?id=53052&r=fixed
Fixed in SVN and need be documented:
http://bugs.php.net/fix.php?id=53052&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=53052&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=53052&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=53052&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=53052&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=53052&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=53052&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=53052&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=53052&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=53052&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=53052&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=53052&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=53052&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=53052&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=53052&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=53052&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=53052&r=mysqlcfg
