Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Which PHP functions are affected by allow_url_fopen?

Tags:

php

php-internals

In PHP, the allow_url_fopen flag controls whether or not remote URLs can be used by various file system functions, in order to access remote files.

It is recommended security best practice nowadays to disable this option, as it is a potential attack vector. However, any code which depends on this functionality in order to work would be broken if the setting is disabled. For example, I know of at least one reCaptcha plugin which uses file_get_contents() to access the Google API and which therefore depends on this flag.

In order to check the code in our applications to determine whether it is safe to disable this flag (with a view to rewriting, where necessary) I need a canonical list of the PHP functions that it affects. However, I have been unable to find such a list - there doesn't seem to be one on the PHP website and a Google search didn't turn anything up.

  • Can anyone provide a list of all PHP functions whose behaviour is affected by allow_url_fopen?

The accepted answer should reference an authoritative source or provide details about methodology used to compile the list, to demonstrate its correctness and completeness.

like image 561
HappyDog Avatar asked Mar 23 '19 11:03

HappyDog

1 Answers

The list of functions is massive, as the allow_url_fopen ini directive is implemented in PHP's streams system, meaning anything that uses PHP's network streams are affected.

This includes functions from pretty much every extension of PHP that does not use an external library for gaining access to a remote file. As some extensions like cURL uses its own transport layer outside that of PHP.

Some extensions, notoriously ext/soap does bypass this directive in some ways (for what reason I don't exactly know as I'm not familiar with the internals of this extension).

Any function from the standard library (implemented in: main/, Zend/, ext/standard, ext/spl), meaning every Filesystem, Stream, Includes and URL Wrappers respect this directive. From on top of my head I also know that ext/exif does this.

I cannot remember on top of my head if XML based extensions (such as ext/libxml, ext/simplexml, ext/xmlreader, ext/xmlwriter, ext/dom) does this, but I'm certain that there was a point in the past where they did not respect it as the path was directly supplied to LibXML2 underneath.

like image 198
Kalle Avatar answered Sep 29 '22 22:09

Kalle
Sign in to Comment

Related questions

Laravel - Unauthenticated redirect issue with multiple authentication
Join two tables with group by condition
How to ignore the specific CSS codes coming from the WordPress plugin stylesheet?
What is causing this memory leak when (inner) joining this table?
How do you customize variables in Laravel default emails?
Embedding image in laravel markdown email
Add conditionally a discount programmatically to Woocommerce 3
What can prevent overriding Access-Control-Allow-Origin in server?
Sweet Alert Delete Confirmation with a href
Replace str1 with str2 and vice versa
Array for multidimensional array with depth
Laravel observer not working on bulk insert
How would one limit the Manual Excerpt Length in WP?
Reload the page after ajax success
How to catch unserialize exception?
Can str_replace be safely used on a UTF-8 encoded string if it's only given valid UTF-8 encoded strings as arguments?
How to access the php.ini from cPanel?
Doctrine - How to bind array to the SQL?
How to enable color for PHP CLI?
How can I make visual studio highlight .php files

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!