1 |
Hey, |
2 |
|
3 |
allow_url_fopen = On is a bad default because of some behavior which comes |
4 |
along with it. |
5 |
|
6 |
The function allows the PHP open commands to open a URL and download its |
7 |
contents. Except, if the contents are sent as a PHP program, it will then |
8 |
execute that code, allowing an easy server compromise from code bugs. |
9 |
|
10 |
A simple one-line php script to load pages like SSI could be compromised |
11 |
by passing a URL as a variable, for instance. |
12 |
|
13 |
If you know how many PHP applications you are going to be running, and you |
14 |
trust its code, you can turn that option back on without much trouble. I |
15 |
would never allow its usage on a hosting service, or any place where you |
16 |
don't trust the code. |
17 |
|
18 |
-Dormando |
19 |
|
20 |
On Fri, 4 Jun 2004 linux-lists@×××.de wrote: |
21 |
|
22 |
> Hi, |
23 |
> |
24 |
> I have a problem with some php scripts, which seem not running because |
25 |
> I of this changes in php.ini: |
26 |
> |
27 |
> ; Whether to allow the treatment of URLs (like http:// or ftp://) as |
28 |
> files.; allow_url_fopen = On |
29 |
> ; Closed for security - <robbat2@g.o> |
30 |
> allow_url_fopen = Off |
31 |
> |
32 |
> Which security reason is concering here? |
33 |
> |
34 |
> best regards, |
35 |
> kloschi |
36 |
> |