Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:16905
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <01.6A.54439.491DEB24@pb1.pair.com>
To: internals@lists.php.net
References: <42BDDC82.6020208@ohgaki.net>
Date: Sun, 26 Jun 2005 09:02:23 -0700
Lines: 42
Subject: Re: allow_url_fopen should be INI_ALL
From: pollita@php.net ("Sara Golemon")

> 1) INI_SYSTEM disables to patch vulnerable application by adding 
> ini_set().
>   ini_set('allow_url_fopen', 0);
>   // some dangerous include/require statement
>   ini_set('allow_url_fopen', 1); // reenable if allow_url_fopen is 
> required
>
$allowed_wrappers = array('php','file');
foreach(stream_get_wrappers() as $wrapper)
    if (!in_array($wrapper, $allowed_wrappers))
        stream_wrapper_unregister($wrapper);

> 2) programmers should be able to control if program allowed to access
>   remote files or not and should be able to enable/disable allow_url_fopen
>   _only_ where the feature is needed.
>
Already got it.

> allow_url_fopen should not be site wide configuration for security 
> seasons.
>
allow_url_fopen is for site administrators to globally stop users from being 
stupid.

Letting them override it makes as much sense as letting ini_set('safe_mode', 
false); work.


> I would like to see these changes in PHP 5.1 and PHP 4.4, since this
> is security related changes.
>
-1 From me.    wrapper_unregister/wrapper_restore lets you do everything you 
want and then some without reducing the admin's control any.

Yes, unregister/restore is PHP5 only.  I'd personally be okay with merging 
this to 4.4 as the bulk of the support for it is already there internally, 
it's just adding a couple PHP_FUNCTION hooks to make it happen.  That's up 
to the RM and general consensus though.

-Sara