Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Which PHP functions are affected by allow_url_fopen?

In PHP, the allow_url_fopen flag controls whether or not remote URLs can be used by various file system functions, in order to access remote files.

It is recommended security best practice nowadays to disable this option, as it is a potential attack vector. However, any code which depends on this functionality in order to work would be broken if the setting is disabled. For example, I know of at least one reCaptcha plugin which uses file_get_contents() to access the Google API and which therefore depends on this flag.

In order to check the code in our applications to determine whether it is safe to disable this flag (with a view to rewriting, where necessary) I need a canonical list of the PHP functions that it affects. However, I have been unable to find such a list - there doesn't seem to be one on the PHP website and a Google search didn't turn anything up.

  • Can anyone provide a list of all PHP functions whose behaviour is affected by allow_url_fopen?

The accepted answer should reference an authoritative source or provide details about methodology used to compile the list, to demonstrate its correctness and completeness.

like image 561
HappyDog Avatar asked Mar 23 '19 11:03

HappyDog


1 Answers

The list of functions is massive, as the allow_url_fopen ini directive is implemented in PHP's streams system, meaning anything that uses PHP's network streams are affected.

This includes functions from pretty much every extension of PHP that does not use an external library for gaining access to a remote file. As some extensions like cURL uses its own transport layer outside that of PHP.

Some extensions, notoriously ext/soap does bypass this directive in some ways (for what reason I don't exactly know as I'm not familiar with the internals of this extension).

Any function from the standard library (implemented in: main/, Zend/, ext/standard, ext/spl), meaning every Filesystem, Stream, Includes and URL Wrappers respect this directive. From on top of my head I also know that ext/exif does this.

I cannot remember on top of my head if XML based extensions (such as ext/libxml, ext/simplexml, ext/xmlreader, ext/xmlwriter, ext/dom) does this, but I'm certain that there was a point in the past where they did not respect it as the path was directly supplied to LibXML2 underneath.

like image 198
Kalle Avatar answered Sep 29 '22 22:09

Kalle