ID: 25461 User updated by: ashley at netcraft dot com dot au Reported By: ashley at netcraft dot com dot au -Status: Bogus +Status: Closed Bug Type: Feature/Change Request Operating System: Linux PHP Version: 4.3.3 New Comment:
No point in this. I know it's in the config file. I know it's in the manual. I still see it as insecure and there should be a security warning. Previous Comments: ------------------------------------------------------------------------ [2003-09-10 03:05:19] [EMAIL PROTECTED] from php.ini: ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. >From the manual: allow_url_fopen = On allow_url_fopen boolean This option enables the URL-aware fopen wrappers that enable accessing URL object like files. Default wrappers are provided for the access of remote files using the ftp or http protocol, some extensions like zlib may register additional wrappers. ------------------------------------------------------------------------ [2003-09-09 21:17:27] ashley at netcraft dot com dot au I know there's an option for it, but it should come with a warning that it also enables url's on include/require. ------------------------------------------------------------------------ [2003-09-09 21:02:31] [EMAIL PROTECTED] Search php.ini-dist (or php.ini-recommended) for "allow_url_fopen" directive. ------------------------------------------------------------------------ [2003-09-09 19:48:43] ashley at netcraft dot com dot au Description: ------------ I think it's highly insecure that 'include' and 'require' support http:// url's by default. Why would you want to execute arbitrary code from another web page? I have seen many sites where they are exploitable because they do require $page. ".php"; Although this is bad programming, it's still insecure to allow http url's by default. Also, I'd strongly suggest never using http includes unless you control the DNS for the domain of the site you are connecting to. Otherwide the hostname could be changed over to a different page. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=25461&edit=1
