[php-maint] Bug#399258: Bug#399258: php5: Turn off allow_url_fopen by default

Thijs Kinkhorst thijs at debian.org
Thu Nov 20 14:02:48 UTC 2008

> Allow_url_fopen is nowadays by far the prominent cause of web exploits
> (remote file vulnerability in PHP web applications).

That knowledge used to be true when we had PHP4, but I believe its risks
are a lot smaller with PHP5, where this setting does not apply to
include() and require() calls. Those calls were the most prominent cause
of exploits.

> As an active
> security measure, I suggest we disable this option by default in PHP,
> not just php.ini,

Turning it off by default, hardcoding it is really not Debian's job here,
the choice is left to the administrator on how to handle that.


More information about the pkg-php-maint mailing list