[php-maint] Bug#399259: php4: Turn off allow_url_fopen by default
David Garamond
david_garamond at yahoo.com
Sat Nov 18 21:59:35 CET 2006
Package: php4
Version: 4:4.4.4-1+spanel1
Severity: wishlist
Tags: patch
Allow_url_fopen is nowadays by far the prominent cause of web exploits
(remote file vulnerability in PHP web applications). As an active
security measure, I suggest we disable this option by default in PHP,
not just php.ini, because in some systems a hosting user is allowed to
have their own php.ini which might be old/not updated. The PHP team is
also considering turning this option off by default.
START PATCH
diff -ru php-4.4.4.orig/main/main.c php-4.4.4/main/main.c
--- php-4.4.4.orig/main/main.c 2006-05-19 05:36:14.000000000 +0700
+++ php-4.4.4/main/main.c 2006-11-19 01:52:01.000000000 +0700
@@ -352,7 +352,7 @@
PHP_INI_ENTRY("disable_functions", "", PHP_INI_SYSTEM, NULL)
PHP_INI_ENTRY("disable_classes", "", PHP_INI_SYSTEM, NULL)
- STD_PHP_INI_BOOLEAN("allow_url_fopen", "1", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
+ STD_PHP_INI_BOOLEAN("allow_url_fopen", "0", PHP_INI_SYSTEM, OnUpdateBool, allow_url_fopen, php_core_globals, core_globals)
STD_PHP_INI_BOOLEAN("always_populate_raw_post_data", "0", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateBool, always_populate_raw_post_data, php_core_globals, core_globals)
PHP_INI_END()
Only in php-4.4.4/main: main.c~
END PATCH
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (600, 'testing'), (550, 'stable'), (50, 'unstable'), (40, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-k7
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages php4 depends on:
ii php4-cgi 4:4.4.4-1+spanel1 server-side, HTML-embedded scripti
ii php4-common 4:4.4.4-1+spanel1 Common files for packages built fr
php4 recommends no packages.
-- no debconf information
More information about the pkg-php-maint
mailing list