Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16903
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89688 invoked by uid 1010); 25 Jun 2005 22:36:59 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 89673 invoked from network); 25 Jun 2005 22:36:59 -0000
Received: from unknown (HELO pb1.pair.com) (127.0.0.1)
  by localhost with SMTP; 25 Jun 2005 22:36:59 -0000
X-Host-Fingerprint: 219.166.150.11 mx1.es-i.jp Linux 2.4 w/o timestamps
Received: from ([219.166.150.11:57380] helo=mx1.es-i.jp)
	by pb1.pair.com (ecelerity 1.2 r(5656M)) with SMTP
	id 5C/86-22648-98CDDB24 for <internals@lists.php.net>; Sat, 25 Jun 2005 18:36:58 -0400
Received: (qmail 15311 invoked by uid 501); 25 Jun 2005 22:36:52 -0000
Received: from yohgaki@ohgaki.net by mx1.es-i.jp by uid 401 with qmail-scanner-1.20 
	(clamscan: 0.65. spamassassin: 2.60.  Clear:RC:1(192.168.100.202):. 
	Processed in 0.014122 secs); 25 Jun 2005 22:36:52 -0000
X-Qmail-Scanner-Mail-From: yohgaki@ohgaki.net via mx1.es-i.jp
X-Qmail-Scanner: 1.20 (Clear:RC:1(192.168.100.202):. Processed in 0.014122 secs)
Received: from unknown (HELO ?127.0.0.1?) (192.168.100.202)
	by mx1.es-i.jp with SMTP; 25 Jun 2005 22:36:52 -0000
Message-ID: <42BDDC82.6020208@ohgaki.net>
Date: Sun, 26 Jun 2005 07:36:50 +0900
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)
X-Accept-Language: ja, en-us, en
MIME-Version: 1.0
To: internals@lists.php.net
X-Enigmail-Version: 0.92.0.0
Content-Type: text/plain; charset=ISO-2022-JP
Content-Transfer-Encoding: 7bit
Subject: allow_url_fopen should be INI_ALL
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

As of PHP 4.3.4, allow_url_fopen defaults was changed from INI_ALL to INI_SYSTEM.

This change should be reverted, because

1) INI_SYSTEM disables to patch vulnerable application by adding ini_set().
   ini_set('allow_url_fopen', 0);
   // some dangerous include/require statement
   ini_set('allow_url_fopen', 1); // reenable if allow_url_fopen is required

2) programmers should be able to control if program allowed to access
   remote files or not and should be able to enable/disable allow_url_fopen
   _only_ where the feature is needed.

allow_url_fopen should not be site wide configuration for security seasons.

Preferred solution would be

1) change allow_url_fopen to INI_ALL
2) disable allow_url_fopen by default

I would like to see these changes in PHP 5.1 and PHP 4.4, since this
is security related changes.

-- 
Yasuo Ohgaki