NYCPHP Meetup

NYPHP.org

[nycphp-talk] allow_url_fopen

George Schlossnagle george at omniti.com
Fri Aug 20 14:47:09 EDT 2004


> David Mintz dmintz-at-davidmintz.org |nyphp 04/2004| wrote:
>
>> On Thu, 19 Aug 2004, George Schlossnagle wrote:
>>
>>>> Ouput:
>>>>
>>>> Current value: disabled ....now: enabled
>>>>
>>>> Followed by our phpinfo which says allow_url_fopen: master value 
>>>> off,
>>>> local value on. (PHP 4.3.4 running as an Apache 1.3.29 module)
>>>>
>>> Your clients are running a version 4 point releases and nearly a year
>>> old.  You should upgrade, for the sake of this security issue as well
>>> as others.
>>>
>>> George
>>>
>>> p.s. the issue you describe was fixed in 4.3.5, over half a year ago.
>>>
>>
>> Their customer newsletter recently said, hey, we are now setting
>> allow_url_fopen = off in our php.ini (because of all the carelessly
>> written stuff that had been hacked on their servers), so if you need 
>> it,
>> you better ini_set()  it yourself.

allow_url_fopen is a pretty big security issue - it really heightens 
your exposure to cross-site scripting attacks.

>> I guess whenever they do upgrade, and if they do keep that setting, I 
>> can
>> either run in CGI mode and write my own damn php.ini, or use cURL. 
>> Or...
>> what would you suggest, if you need to go out and fetch a web page
>> somewhere once in a while?

I'd use cUrl.  Some people like the PEAR HTTP classes for this as well. 
  I think the important thing is that you actually have to consciously 
open a url, which I think is a good thing.

>> Oops, reading again I see: "you should upgrade." Maybe I'll try 
>> compiling
>> my own 4.3.8 and using CGI mode.

That would work,  You should encourage the Pair folks to upgrade as 
well.  4.3.4 is old now.

George




More information about the talk mailing list