| 1 |
Hey, |
| 2 |
|
| 3 |
allow_url_fopen = On is a bad default because of some behavior which comes |
| 4 |
along with it. |
| 5 |
|
| 6 |
The function allows the PHP open commands to open a URL and download its |
| 7 |
contents. Except, if the contents are sent as a PHP program, it will then |
| 8 |
execute that code, allowing an easy server compromise from code bugs. |
| 9 |
|
| 10 |
A simple one-line php script to load pages like SSI could be compromised |
| 11 |
by passing a URL as a variable, for instance. |
| 12 |
|
| 13 |
If you know how many PHP applications you are going to be running, and you |
| 14 |
trust its code, you can turn that option back on without much trouble. I |
| 15 |
would never allow its usage on a hosting service, or any place where you |
| 16 |
don't trust the code. |
| 17 |
|
| 18 |
-Dormando |
| 19 |
|
| 20 |
On Fri, 4 Jun 2004 linux-lists@×××.de wrote: |
| 21 |
|
| 22 |
> Hi, |
| 23 |
> |
| 24 |
> I have a problem with some php scripts, which seem not running because |
| 25 |
> I of this changes in php.ini: |
| 26 |
> |
| 27 |
> ; Whether to allow the treatment of URLs (like http:// or ftp://) as |
| 28 |
> files.; allow_url_fopen = On |
| 29 |
> ; Closed for security - <robbat2@g.o> |
| 30 |
> allow_url_fopen = Off |
| 31 |
> |
| 32 |
> Which security reason is concering here? |
| 33 |
> |
| 34 |
> best regards, |
| 35 |
> kloschi |
| 36 |
> |
Archives