[php-maint] Bug#399259: php4: Turn off allow_url_fopen by default

David Garamond david_garamond at yahoo.com
Sat Nov 18 21:59:35 CET 2006


Package: php4
Version: 4:4.4.4-1+spanel1
Severity: wishlist
Tags: patch


Allow_url_fopen is nowadays by far the prominent cause of web exploits
(remote file vulnerability in PHP web applications). As an active
security measure, I suggest we disable this option by default in PHP,
not just php.ini, because in some systems a hosting user is allowed to
have their own php.ini which might be old/not updated. The PHP team is
also considering turning this option off by default.

START PATCH

diff -ru php-4.4.4.orig/main/main.c php-4.4.4/main/main.c
--- php-4.4.4.orig/main/main.c  2006-05-19 05:36:14.000000000 +0700
+++ php-4.4.4/main/main.c       2006-11-19 01:52:01.000000000 +0700
@@ -352,7 +352,7 @@
        PHP_INI_ENTRY("disable_functions",                      "",                     PHP_INI_SYSTEM,         NULL)
        PHP_INI_ENTRY("disable_classes",                        "",                     PHP_INI_SYSTEM,         NULL)

-       STD_PHP_INI_BOOLEAN("allow_url_fopen",          "1",            PHP_INI_SYSTEM,         OnUpdateBool,                   allow_url_fopen,                        php_core_globals,       core_globals)
+       STD_PHP_INI_BOOLEAN("allow_url_fopen",          "0",            PHP_INI_SYSTEM,         OnUpdateBool,                   allow_url_fopen,                        php_core_globals,       core_globals)
        STD_PHP_INI_BOOLEAN("always_populate_raw_post_data",            "0",            PHP_INI_SYSTEM|PHP_INI_PERDIR,          OnUpdateBool,                   always_populate_raw_post_data,    php_core_globals,        core_globals)

 PHP_INI_END()
Only in php-4.4.4/main: main.c~

END PATCH

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (600, 'testing'), (550, 'stable'), (50, 'unstable'), (40, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages php4 depends on:
ii  php4-cgi               4:4.4.4-1+spanel1 server-side, HTML-embedded scripti
ii  php4-common            4:4.4.4-1+spanel1 Common files for packages built fr

php4 recommends no packages.

-- no debconf information




More information about the pkg-php-maint mailing list